cbcvebase.
CVE-2019-11358
published 2019-04-20

CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an…

medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOIT
Exploited in the wild
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Affected

247 ranges· showing 25
VendorProductVersion rangeFixed in
backdropcmsbackdrop>= 1.11.0 < 1.11.91.11.9
backdropcmsbackdrop>= 1.12.0 < 1.12.61.12.6
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianmediawiki< mediawiki 1:1.31.2-1 (bookworm)mediawiki 1:1.31.2-1 (bookworm)
debiannode-jquery< mediawiki 1:1.31.2-1 (bookworm)mediawiki 1:1.31.2-1 (bookworm)
debianotrs2< mediawiki 1:1.31.2-1 (bookworm)mediawiki 1:1.31.2-1 (bookworm)
djangoprojectdjango>= 2.0a1 < 2.1.92.1.9
djangoprojectdjango>= 2.2a1 < 2.2.22.2.2
drupalcore>= 8.0.0 < 8.5.158.5.15
drupalcore>= 8.6.0 < 8.6.158.6.15
drupaldrupal>= 7.0 < 7.667.66
drupaldrupal>= 8.5.0 < 8.5.158.5.15
drupaldrupal>= 8.6.0 < 8.6.158.6.15
drupaldrupal_core
ezsystemsezplatform-admin-ui-assets>= 4.0.0 < 4.2.04.2.0
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
joomlajoomla_!3.0.0 – 3.9.4
jqueryjquery< 3.4.03.4.0
jqueryjquery>= 0 < 1.7.2+dfsg-2ubuntu1+esm11.7.2+dfsg-2ubuntu1+esm1
jqueryjquery>= 0 < 1.11.3+dfsg-4ubuntu0.1~esm11.11.3+dfsg-4ubuntu0.1~esm1
jqueryjquery>= 0 < 3.2.1-1ubuntu0.1~esm13.2.1-1ubuntu0.1~esm1

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vulncheck6.1MEDIUM