CVE-2015-1840: CSRF vulnerability

July 26, 2015 (updated October 30, 2018)

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to https://attacker.com (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user’s CSRF token to the attacker domain.

References

groups.google.com/forum/

Detect and mitigate CVE-2015-1840 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →