VDB
CVE-2020-8167
CVE-2020-8167
PUBLISHED
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
EPSS 0.43% · 62.8th percentile
Risk Scores
EPSS Score
0.43%
62.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | rails | 0, *, 2:4.2.10-0ubuntu4 |
| Ubuntu:Pro:20.04:LTS | rails | 2:5.2.2.1+dfsg-1ubuntu1, 2:5.2.3+dfsg-3, 2:5.2.3+dfsg-3ubuntu0.1~esm1 |
| Ubuntu:Pro:16.04:LTS | rails | 2:4.2.6-1ubuntu0.1~esm2, 0, 2:4.2.6-1ubuntu0.1~esm1 |
Exploit Intelligence
- https://hackerone.com/reports/189878 (nist-nvd)
- CSRF header is sent to external websites when using data-remote forms (hackerone)
- CSRF header is sent to external websites when using data-remote forms (hackerone)
- CSRF header is sent to external websites when using data-remote forms (hackerone)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
…and 114 more exploits
Timeline
- CVE Published
- May 26, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-8167 third-party-advisory
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released third-party-advisory
- https://github.com/rails/rails/commit/fbc7bec074b5ef9ae22f79ca5d9bafec7b276dd3 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-8167 third-party-advisory