CIVI-SA-2019-07: Limit Cross-Domain Execution by jQuery

2019-02-20 09:00
Written by

CiviCRM includes a copy of jQuery 1.x. If a site uses jQuery 1.x or 2.x to asynchronously load third-party assets, then the third-party (or a man-in-the-middle) may trick jQuery into executing arbitrary JavaScript code (CVE-2015-9251). CiviCRM deployments should generally be safe due to low reliance on third-party assets; however, as a preventive, CiviCRM now includes the mitigation from jQuery#2432.

Security Risk
Less Critical
Affected Versions

CiviCRM versions 5.10.2 and earlier

Fixed Versions

CIviCRM versions 5.10.3 and 5.7.4


Upgrade to the latest CiviCRM version

NOTE: If you have a customization which purposefully uses CiviCRM's copy of jQuery to asynchronously load executable JavaScript code from an external provider, then take care to revalidate it.


Francis Whittle of Agileware for reporting the issue

Coleman Watts of CiviCRM for fixing the issue