Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wm9p-z4n1-t7cs
Vulnerability ID VCID-wm9p-z4n1-t7cs
Aliases CVE-2020-8167
GHSA-xq5j-gw7f-jgj8
Summary CSRF Vulnerability in rails-ujs There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-352 Cross-Site Request Forgery (CSRF)
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
epss 0.00427 https://api.first.org/data/v1/epss?cve=CVE-2020-8167
cvssv3.1 5.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
cvssv3.1 6.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
cvssv3 6.5 https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
cvssv3.1 6.5 https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
generic_textual MODERATE https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
cvssv3.1 6.5 https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
generic_textual MODERATE https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
cvssv3.1 6.5 https://hackerone.com/reports/189878
generic_textual MODERATE https://hackerone.com/reports/189878
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2020-8167
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-8167
cvssv3.1 6.5 https://www.debian.org/security/2020/dsa-4766
generic_textual MODERATE https://www.debian.org/security/2020/dsa-4766
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
https://api.first.org/data/v1/epss?cve=CVE-2020-8167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
https://hackerone.com/reports/189878
https://nvd.nist.gov/vuln/detail/CVE-2020-8167
https://www.debian.org/security/2020/dsa-4766
1843084 https://bugzilla.redhat.com/show_bug.cgi?id=1843084
GHSA-xq5j-gw7f-jgj8 https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://hackerone.com/reports/189878
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-8167
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://www.debian.org/security/2020/dsa-4766
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.62685
EPSS Score 0.00427
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T09:11:27.800005+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-xq5j-gw7f-jgj8/GHSA-xq5j-gw7f-jgj8.json 38.6.0