CIVI-SA-2019-11: jQuery Object.prototype pollution

Opublikowane
2019-05-15 09:00
Written by

In jQuery 1.x, a malicious AJAX response can pollute the content of the "Object.prototype". jQuery 1.x no longer receives security updates, but CiviCRM now includes a patched version of jQuery 1.x (1.12.4-civicrm-1) derived from https://github.com/DanielRuf/snyk-js-jquery-174006/.

Security Risk
Less Critical
Vulnerability
Other
Affected Versions

CiviCRM Versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Michał Gołębiowski-Owczarek and Daniel Ruf for the upstream patches.

John Kingsnorth of Camberidge University and John Kirk of CiviFirst for reporting the issue. Tim Otten of CiviCRM for backporting.

References

security/core#50

CVE
CVE-2019-11358