Contents

---
gem: actionview
framework: rails
cve: 2020-8167
date: 2020-05-18
url: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
title: CSRF Vulnerability in rails-ujs
description: |
  There is an vulnerability in rails-ujs that allows attackers to send
  CSRF tokens to wrong domains.

  Versions Affected:  rails <= 6.0.3
  Not affected:       Applications which don't use rails-ujs.
  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

  Impact
  ------

  This is a regression of CVE-2015-1840.

  In the scenario where an attacker might be able to control the href attribute of an anchor tag or
  the action attribute of a form tag that will trigger a POST action, the attacker can set the
  href or action to a cross-origin URL, and the CSRF token will be sent.

  Workarounds
  -----------

  To work around this problem, change code that allows users to control the href attribute of an anchor
  tag or the action attribute of a form tag to filter the user parameters.

  For example, code like this:

      link_to params

  to code like this:

      link_to filtered_params

      def filtered_params
        # Filter just the parameters that you trust
      end

patched_versions:
  - "~> 5.2.4.3"
  - ">= 6.0.3.1"

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/actionview/CVE-2020-8167.yml