15 matches found
ruby4.0-rubygem-jquery-rails-4.6.0-1.9 on GA media (moderate)
ruby4.0-rubygem-jquery-rails-4.6.0-1.9 on GA media Announcement ID: openSUSE-SU-2026:10350-1 Rating: moderate Cross-References: CVE-2015-1840 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in th...
CVE-2020-8167
A flaw was found in rubygem-actionview. A regression of CVE-2015-1840 causes Rails-ujs to send CSRF tokens to wrong domains. The highest threat from this vulnerability is to data integrity...
CSRF Vulnerability in rails-ujs
There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor ta...
Ruby on Rails: CSRF header is sent to external websites when using data-remote forms
Looks like there is a regression in the fix for CVE-2015-1840 H1 report. The origin isn't being checked before adding a CSRF header to data-remote forms. I noticed this when checking out the new rails-ujs repo. Example Rails template: submit Example http://attacker.com app require "sinatra" optio...
CVE-2015-1840
jqueryujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space...
CVE-2015-1840
jqueryujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space...
CVE-2015-1840
CVE-2015-1840 describes a CSRF/XSS-style risk in Rails tooling: jquery_ujs.js and rails.js could cause a CSRF token to be transmitted to a different-domain server when a URL attribute contains a leading space. This bypasses the Same Origin Policy under supported Rails setups (Rails 3.x/4.x with j...
CVE-2015-1840
jqueryujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space...
CVE-2015-1840
jqueryujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space...
openSUSE Security Update : rubygem-jquery-rails (openSUSE-2015-501)
rubygem-jquery-rails was updated to fix one security issue. This security issue was fixed : - CVE-2015-1840: CSRF Vulnerability in jquery-ujs and jquery-rails bsc934795. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...
Fedora Update for rubygem-jquery-rails FEDORA-2015-10258
The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 21 : rubygem-jquery-rails-3.1.0-3.fc21 (2015-10144)
Security fix for CVE-2015-1840 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. %NASLMINLEVEL 70300 C...
Fedora 22 : rubygem-jquery-rails-3.1.0-3.fc22 (2015-10258)
Security fix for CVE-2015-1840 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. %NASLMINLEVEL 70300 C...
Fedora Update for rubygem-jquery-rails FEDORA-2015-10144
The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
FreeBSD : rubygem-rails -- multiple vulnerabilities (eb8a8978-8dd5-49ce-87f4-49667b2166dd)
Ruby on Rails blog : Rails 3.2.22, 4.1.11 and 4.2.2 have been released, along with web console and jquery-rails plugins and Rack 1.5.4 and 1.6.2. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML...