Ruby/jquery-rails/3.0.4


This gem provides jQuery and the jQuery-ujs driver for your Rails 4+ application.

https://rubygems.org/gems/jquery-rails
MIT

4 Security Vulnerabilities

Moderate severity vulnerability that affects jquery-rails and jquery-ujs

Published date: 2017-10-24T18:33:36Z
CVE: CVE-2015-1840
Links:

jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.

Affected versions: ["4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0]
Recommendation: Update to version 4.4.0.

CSRF Vulnerability in jquery-rails

Published date: 2015-06-16
CVE: 2015-1840
CVSS V2: 5.0
Links:

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to https://attacker.com (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain.

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

linkto filteredparams

def filtered_params # Filter just the parameters that you trust end

See also: - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/

Affected versions: ["4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0]
Recommendation: Update to version 4.4.0.

Prototype pollution attack through jQuery $.extend

Published date: 2019-04-19
Framework: rails
CVE: 2019-11358
CVSS V2: 4.3
CVSS V3: 6.1
Links:

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of bject.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Affected versions: ["4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0]
Recommendation: Update to version 4.4.0.

Potential XSS vulnerability in jQuery

Published date: 2020-04-29
Framework: rails
CVE: 2020-11023
CVSS V3: 6.9
Links:

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

Affected versions: ["4.3.5", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.beta2", "4.0.0.beta1", "3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "1.0.19", "1.0.18", "1.0.17", "1.0.16", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0", "1.0.rc", "0.2.7", "0.2.6", "0.2.5", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.2", "0.1.3", "0.1.2", "0.1.1"]
Secure versions: [4.4.0]
Recommendation: Update to version 4.4.0.

75 Other Versions

Version License Security Released
4.4.0 MIT 2020-05-08 - 15:51 over 1 year
4.3.5 MIT 1 2019-06-13 - 22:51 over 2 years
4.3.4 MIT 1 2019-06-13 - 22:49 over 2 years
4.3.3 MIT 2 2018-04-18 - 17:26 over 3 years
4.3.2 MIT 2 2018-04-18 - 17:24 over 3 years
4.3.1 MIT 2 2017-03-21 - 18:39 over 4 years
4.3.0 MIT 2 2017-03-21 - 18:36 over 4 years
4.2.2 MIT 2 2016-12-29 - 01:10 almost 5 years
4.2.1 MIT 2 2016-08-19 - 16:56 about 5 years
4.2.0 MIT 2 2016-08-19 - 16:53 about 5 years
4.1.1 MIT 2 2016-03-10 - 02:39 over 5 years
4.1.0 MIT 2 2016-01-12 - 23:34 almost 6 years
4.0.5 MIT 2 2015-09-01 - 05:37 about 6 years
4.0.4 MIT 2 2015-06-16 - 18:07 over 6 years
4.0.3 MIT 4 2014-12-29 - 21:19 almost 7 years
4.0.2 MIT 4 2014-12-19 - 23:51 almost 7 years
4.0.1 MIT 4 2014-12-16 - 16:22 almost 7 years
4.0.0 MIT 4 2014-11-26 - 00:29 almost 7 years
4.0.0.beta2 MIT 3 2014-09-06 - 03:17 about 7 years
4.0.0.beta1 MIT 3 2014-09-06 - 00:33 about 7 years
3.1.5 MIT 2 2018-04-18 - 17:35 over 3 years
3.1.4 MIT 2 2015-09-01 - 05:41 about 6 years
3.1.3 MIT 2 2015-06-16 - 18:08 over 6 years
3.1.2 MIT 3 2014-09-02 - 00:33 about 7 years
3.1.1 MIT 3 2014-06-23 - 14:37 over 7 years
3.1.0 MIT 3 2014-01-29 - 06:18 over 7 years
3.0.4 MIT 4 2013-07-11 - 03:45 over 8 years
3.0.3 MIT 4 2013-07-11 - 03:33 over 8 years
3.0.2 MIT 4 2013-07-04 - 18:51 over 8 years
3.0.1 MIT 4 2013-06-08 - 02:18 over 8 years
3.0.0 MIT 4 2013-05-29 - 06:52 over 8 years
2.3.0 MIT 4 2013-05-29 - 06:40 over 8 years
2.2.2 MIT 4 2013-05-29 - 05:50 over 8 years
2.2.1 MIT 4 2013-02-08 - 05:27 over 8 years
2.2.0 UNKNOWN 4 2013-01-19 - 17:13 almost 9 years
2.1.4 UNKNOWN 4 2012-11-26 - 17:23 almost 9 years
2.1.3 UNKNOWN 4 2012-09-24 - 15:08 about 9 years
2.1.2 UNKNOWN 4 2012-09-06 - 23:48 about 9 years
2.1.1 UNKNOWN 4 2012-08-18 - 06:44 about 9 years
2.1.0 UNKNOWN 4 2012-08-16 - 20:04 about 9 years
2.0.3 UNKNOWN 4 2012-08-16 - 17:59 about 9 years
2.0.2 UNKNOWN 4 2012-04-03 - 17:56 over 9 years
2.0.1 UNKNOWN 4 2012-02-28 - 23:56 over 9 years
1.0.19 UNKNOWN 4 2011-11-26 - 05:26 almost 10 years
1.0.18 UNKNOWN 4 2011-11-18 - 17:44 almost 10 years
1.0.17 UNKNOWN 4 2011-11-09 - 17:37 almost 10 years
1.0.16 UNKNOWN 4 2011-10-12 - 21:28 about 10 years
1.0.15 UNKNOWN 4 2011-10-12 - 20:57 about 10 years
1.0.14 UNKNOWN 4 2011-09-08 - 20:52 about 10 years
1.0.13 UNKNOWN 4 2011-08-11 - 22:16 about 10 years
1.0.12 UNKNOWN 4 2011-06-23 - 06:37 over 10 years
1.0.11 UNKNOWN 4 2011-06-15 - 23:38 over 10 years
1.0.10 UNKNOWN 4 2011-06-14 - 02:34 over 10 years
1.0.9 UNKNOWN 4 2011-05-26 - 03:38 over 10 years
1.0.8 UNKNOWN 4 2011-05-26 - 03:31 over 10 years
1.0.7 UNKNOWN 4 2011-05-22 - 02:42 over 10 years
1.0.6 UNKNOWN 4 2011-05-21 - 19:25 over 10 years
1.0.5 UNKNOWN 4 2011-05-17 - 21:48 over 10 years
1.0.4 UNKNOWN 4 2011-05-17 - 17:16 over 10 years
1.0.3 UNKNOWN 4 2011-05-17 - 13:46 over 10 years
1.0.2 UNKNOWN 4 2011-05-12 - 21:12 over 10 years
1.0.1 UNKNOWN 4 2011-05-11 - 06:56 over 10 years
1.0 UNKNOWN 4 2011-05-04 - 08:43 over 10 years
1.0.rc UNKNOWN 4 2011-05-04 - 03:12 over 10 years
0.2.7 UNKNOWN 4 2011-02-05 - 20:33 over 10 years
0.2.6 UNKNOWN 4 2010-12-02 - 06:38 almost 11 years
0.2.5 UNKNOWN 4 2010-11-04 - 17:22 almost 11 years
0.2.4 UNKNOWN 4 2010-10-17 - 06:56 about 11 years
0.2.3 UNKNOWN 4 2010-10-13 - 18:15 about 11 years
0.2.2 UNKNOWN 4 2010-10-08 - 21:45 about 11 years
0.2.1 UNKNOWN 4 2010-10-02 - 23:10 about 11 years
0.2 UNKNOWN 4 2010-10-02 - 18:12 about 11 years
0.1.3 UNKNOWN 4 2010-09-16 - 21:12 about 11 years
0.1.2 UNKNOWN 4 2010-08-18 - 08:46 about 11 years
0.1.1 UNKNOWN 4 2010-08-16 - 23:10 about 11 years