CVE-2019-11358 - Jquery Jquery, Drupal Drupal and Backdropcms Backdrop
Moderate 6.1
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Affected software
Jquery Jquery
Drupal Drupal
Backdropcms Backdrop
Debian Debian Linux
Reference links
- http://www.securityfocus.com/bid/108023
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://github.com/jquery/jquery/pull/4333
- https://seclists.org/bugtraq/2019/Apr/32
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://www.debian.org/security/2019/dsa-4434
- https://www.drupal.org/sa-core-2019-006