ADVISORIES

• CVE-2015-9251 (NVD)
• GHSA-rmxg-73gg-4p98
• Vendor Advisory

GEM

jquery-rails

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 6.1 (Medium)

PATCHED VERSIONS

• >= 4.2.0

DESCRIPTION

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn’t contain the dataType option.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2015-9251
• https://github.com/rails/jquery-rails/releases/tag/v4.2.0
• https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420
• https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377
• https://github.com/advisories/GHSA-rmxg-73gg-4p98