RubySec

Providing security resources for the Ruby community

CVE-2015-9251 (jquery-rails): Cross-Site Scripting (XSS) in jquery

ADVISORIES

GEM

jquery-rails

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 6.1 (Medium)

PATCHED VERSIONS

  • >= 4.2.0

DESCRIPTION

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

RELATED