jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.openwall.com/lists/oss-security/2019/06/03/2
http://www.securityfocus.com/bid/108023
https://access.redhat.com/errata/RHBA-2019:1570
https://access.redhat.com/errata/RHSA-2019:1456
https://access.redhat.com/errata/RHSA-2019:2587
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:3024
https://backdropcms.org/security/backdrop-sa-core-2019-009
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://github.com/jquery/jquery/pull/4333
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.roller.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.syncope.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.storm.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html
https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html
https://seclists.org/bugtraq/2019/Apr/32
https://seclists.org/bugtraq/2019/Jun/12
https://seclists.org/bugtraq/2019/May/18
https://security.netapp.com/advisory/ntap-20190919-0001/
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://www.debian.org/security/2019/dsa-4434
https://www.debian.org/security/2019/dsa-4460
https://www.drupal.org/sa-core-2019-006
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
https://www.synology.com/security/advisory/Synology_SA_19_19
Source: MITRE
Published: 2019-04-20
Updated: 2021-01-20
Type: CWE-79
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.8
Severity: MEDIUM
OR
OR
OR
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
OR
ID | Name | Product | Family | Severity |
---|---|---|---|---|
146679 | EulerOS 2.0 SP2 : pki-core (EulerOS-SA-2021-1346) | Nessus | Huawei Local Security Checks | medium |
146621 | Tenable SecurityCenter < 5.14.0 Multiple Vulnerabilities (TNS-2020-02) | Nessus | Misc. | medium |
145989 | CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847) | Nessus | CentOS Local Security Checks | medium |
145873 | CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670) | Nessus | CentOS Local Security Checks | medium |
144449 | SolarWinds Orion Platform < 2020.2.1 HF2 Multiple Vulnerabilities | Nessus | Misc. | high |
144388 | RHEL 7 : python-XStatic-jQuery (RHSA-2020:5581) | Nessus | Red Hat Local Security Checks | medium |
144240 | EulerOS 2.0 SP5 : pki-core (EulerOS-SA-2020-2560) | Nessus | Huawei Local Security Checks | medium |
143080 | RHEL 7 : ipa (RHSA-2020:3936) | Nessus | Red Hat Local Security Checks | medium |
142435 | RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670) | Nessus | Red Hat Local Security Checks | medium |
142409 | RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847) | Nessus | Red Hat Local Security Checks | medium |
142372 | Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2020 CPU) | Nessus | Misc. | high |
142210 | Oracle Business Process Management Suite (Oct 2020 CPU) | Nessus | Misc. | high |
142058 | Pulse Connect Secure < 9.1R9 (SA44601) | Nessus | Misc. | medium |
142057 | Pulse Policy Secure < 9.1R9 (SA44601) | Nessus | Misc. | medium |
141974 | Amazon Linux 2 : ipa-client (ALAS-2020-1519) | Nessus | Amazon Linux Local Security Checks | medium |
141734 | Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001) | Nessus | Scientific Linux Local Security Checks | medium |
141586 | CentOS 7 : ipa (CESA-2020:3936) | Nessus | CentOS Local Security Checks | medium |
135676 | Oracle WebCenter Sites Multiple Vulnerabilities (April 2020 CPU) | Nessus | Windows | medium |
135256 | RHEL 8 : python-XStatic-jQuery (RHSA-2020:1325) | Nessus | Red Hat Local Security Checks | medium |
133967 | Debian DLA-2118-1 : otrs2 security update | Nessus | Debian Local Security Checks | medium |
133260 | Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU) | Nessus | Misc. | high |
133057 | Oracle Enterprise Manager Ops Center (Oct 2019 CPU) | Nessus | Misc. | medium |
132936 | Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU) | Nessus | CGI abuses | high |
130070 | Oracle Primavera Unifier Multiple Vulnerabilities (Oct 2019 CPU) | Nessus | CGI abuses | high |
130012 | Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU) | Nessus | Misc. | medium |
129862 | RHEL 7 : Virtualization Manager (RHSA-2019:3024) | Nessus | Red Hat Local Security Checks | high |
129861 | RHEL 7 : Virtualization Manager (RHSA-2019:3023) | Nessus | Red Hat Local Security Checks | medium |
127742 | openSUSE Security Update : python-Django (openSUSE-2019-1839) | Nessus | SuSE Local Security Checks | high |
126485 | FreeBSD : mediawiki -- multiple vulnerabilities (3c5a4fe0-9ebb-11e9-9169-fcaa147e860e) | Nessus | FreeBSD Local Security Checks | high |
125858 | Debian DSA-4460-1 : mediawiki - security update | Nessus | Debian Local Security Checks | high |
125750 | FreeBSD : Django -- AdminURLFieldWidget XSS (ffc73e87-87f0-11e9-ad56-fcaa147e860e) | Nessus | FreeBSD Local Security Checks | medium |
125298 | Debian DLA-1797-1 : drupal7 security update | Nessus | Debian Local Security Checks | high |
124719 | JQuery < 3.4.0 Object Prototype Pollution Vulnerability | Nessus | CGI abuses | medium |
124703 | Fedora 28 : drupal7 (2019-f563e66380) | Nessus | Fedora Local Security Checks | medium |
124700 | Fedora 29 : drupal7 (2019-a06dffab1c) | Nessus | Fedora Local Security Checks | medium |
124699 | Fedora 30 : drupal7 (2019-2a0ce0c58c) | Nessus | Fedora Local Security Checks | medium |
124688 | Fedora 30 : drupal8 (2019-eba8e44ee6) | Nessus | Fedora Local Security Checks | high |
124686 | Fedora 29 : drupal8 (2019-7eaf0bbe7c) | Nessus | Fedora Local Security Checks | high |
124685 | Fedora 28 : drupal8 (2019-1a3edd7e8a) | Nessus | Fedora Local Security Checks | high |
98590 | jQuery < 3.4.0 Prototype Pollution | Web Application Scanning | Component Vulnerability | medium |
124205 | Debian DSA-4434-1 : drupal7 - security update | Nessus | Debian Local Security Checks | medium |