Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4whc-pp4x-9pf3

GitHub Security Advisory

jquery-rails and jquery-ujs subject to Exposure of Sensitive Information

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.

Affected Packages

RubyGems jquery-rails
Affected versions: 0 (fixed in 3.1.3)
RubyGems jquery-rails
Affected versions: 4.0.0 (fixed in 4.0.4)
RubyGems jquery-ujs
Affected versions: 0 (fixed in 1.0.4)

Related CVEs

CVE-2015-1840

Key Information

GHSA ID
GHSA-4whc-pp4x-9pf3
Published
October 24, 2017 6:33 PM
Last Modified
January 20, 2023 10:28 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
jquery-rails
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 30, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.