Security Risk: 
Less Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM versions 5.10.2 and earlier

Fixed Versions: 

CIviCRM versions 5.10.3 and 5.7.4

Publication Date: 
Wednesday, February 20, 2019
Description: 

CiviCRM includes a copy of jQuery 1.x. If a site uses jQuery 1.x or 2.x to asynchronously load third-party assets, then the third-party (or a man-in-the-middle) may trick jQuery into executing arbitrary JavaScript code (CVE-2015-9251). CiviCRM deployments should generally be safe due to low reliance on third-party assets; however, as a preventive, CiviCRM now includes the mitigation from jQuery#2432.

Solutions: 

Upgrade to the latest CiviCRM version

NOTE: If you have a customization which purposefully uses CiviCRM's copy of jQuery to asynchronously load executable JavaScript code from an external provider, then take care to revalidate it.

Credits: 

Francis Whittle of Agileware for reporting the issue

Coleman Watts of CiviCRM for fixing the issue

CVE: 
CVE-2015-9251