Security Risk: 
Less Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM Versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

In jQuery 1.x, a malicious AJAX response can pollute the content of the "Object.prototype". jQuery 1.x no longer receives security updates, but CiviCRM now includes a patched version of jQuery 1.x (1.12.4-civicrm-1) derived from https://github.com/DanielRuf/snyk-js-jquery-174006/.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Michał Gołębiowski-Owczarek and Daniel Ruf for the upstream patches.

John Kingsnorth of Camberidge University and John Kirk of CiviFirst for reporting the issue. Tim Otten of CiviCRM for backporting.

References: 

security/core#50

CVE: 
CVE-2019-11358