CVE-2019-11358
MEDIUM6.1EPSS 1.5%XSS in jQuery as used in Drupal, Backdrop CMS, and other products
Published: 4/26/2019Modified: 4/28/2026
Description
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Affected packages (16)
- Debian/drupal7from 0, < 7.52-2+deb9u8
- Debian/drupal7from 0, < 7.32-1+deb8u17
- Debian/jqueryfrom 0, < 1.7.2+dfsg-3.2+deb8u6
- Debian/mediawikifrom 0, < 1:1.31.2-1
- Debian/mediawikifrom 0, < 1:1.27.7-1~deb9u1
- Debian/node-jqueryfrom 0, < 2.2.4+dfsg-4
- Debian/otrs2from 0, < 6.0.26-1
- Debian/otrs2from 0, < 3.3.18-1+deb8u14
- Debian/otrs2from 0, < 6.0.16-2+deb10u1
- Maven/org.webjars.npm:jquery>= 1.1.4, < 3.4.0
- npm/jquery>= 1.1.4, < 3.4.0
- NuGet/jQuery>= 1.1.4, < 3.4.0
- Packagist/drupal/core>= 8.0.0, < 8.5.15 | >= 8.6.0, < 8.6.15
- Packagist/maximebf/debugbarfrom 0, < 1.19.0
- PyPI/django>= 2.0a1, < 2.1.9
- RubyGems/jquery-railsfrom 0, < 4.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (111)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11358
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-11358
- PATCHhttps://github.com/jquery/jquery
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- WEBhttp://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- WEBhttp://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- WEBhttp://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- WEBhttps://access.redhat.com/errata/RHBA-2019:1570
- WEBhttps://access.redhat.com/errata/RHSA-2019:1456
- WEBhttps://access.redhat.com/errata/RHSA-2019:2587
- WEBhttps://access.redhat.com/errata/RHSA-2019:3023
- WEBhttps://access.redhat.com/errata/RHSA-2019:3024
- WEBhttps://backdropcms.org/security/backdrop-sa-core-2019-009
- WEBhttps://blog.jquery.com/2019/04/10/jquery-3-4-0-released
- WEBhttp://seclists.org/fulldisclosure/2019/May/10
- WEBhttp://seclists.org/fulldisclosure/2019/May/11
- WEBhttp://seclists.org/fulldisclosure/2019/May/13
- WEBhttps://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
- WEBhttps://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
- WEBhttps://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
- WEBhttps://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- WEBhttps://github.com/jquery/jquery/pull/4333
- WEBhttps://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
- WEBhttps://github.com/maximebf/php-debugbar/issues/447
- WEBhttps://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml
- WEBhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- WEBhttps://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E
- … 61 more