CVE-2015-1840
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
Vulnerabilidad en jquery_ujs.js en jquery-rails en versiones anteriores a 3.1.3 y 4.x anteriores a la versión 4.0.4 y vulnerabilidad en rails.js en jquery-ujs en versiones anteriores a 1.0.4, tal como se utiliza con Ruby on Rails en versiones 3.x y 4.x, permite a atacantes remotos poder evadir el Same Origin Policy y desencadena la transmisión de un token CSRF a un servidor web en un dominio diferente a través del caracter espacio encabezando una URL en un valor de atributo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-02-17 CVE Reserved
- 2015-07-26 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://openwall.com/lists/oss-security/2015/06/16/15 | Mailing List | |
| http://www.securityfocus.com/bid/75239 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J | 2024-08-06 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 21 Search vendor "Fedoraproject" for product "Fedora" and version "21" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 22 Search vendor "Fedoraproject" for product "Fedora" and version "22" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Jquery-rails Search vendor "Rubyonrails" for product "Jquery-rails" | <= 3.1.2 Search vendor "Rubyonrails" for product "Jquery-rails" and version " <= 3.1.2" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Jquery-rails Search vendor "Rubyonrails" for product "Jquery-rails" | 4.0.0 Search vendor "Rubyonrails" for product "Jquery-rails" and version "4.0.0" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Jquery-rails Search vendor "Rubyonrails" for product "Jquery-rails" | 4.0.1 Search vendor "Rubyonrails" for product "Jquery-rails" and version "4.0.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Jquery-ujs Search vendor "Rubyonrails" for product "Jquery-ujs" | <= 1.0.3 Search vendor "Rubyonrails" for product "Jquery-ujs" and version " <= 1.0.3" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.1 Search vendor "Opensuse" for product "Opensuse" and version "13.1" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2" | - |
Affected
| ||||||