GHSA-6c3j-c64m-qhgq

Source

https://github.com/advisories/GHSA-6c3j-c64m-qhgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6c3j-c64m-qhgq

Aliases

CVE-2019-11358
SNYK-JS-JQUERY-174006

Published

2019-04-26T16:29:11Z

Modified

2024-04-22T19:46:14.305271Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

Details

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

References

Affected packages

npm / jquery

Package

Name: jquery; View open source insights on deps.dev
Purl: pkg:npm/jquery

Affected ranges

Type: SEMVER
Events: Introduced

1.1.4

Fixed

3.4.0

RubyGems / jquery-rails

Package

Name: jquery-rails
Purl: pkg:gem/jquery-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.4

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.2

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

1.*

1.0.rc

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

2.*

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

4.*

4.0.0.beta1

4.0.0.beta2

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.3.2

4.3.3

NuGet / jQuery

Package

Name: jQuery; View open source insights on deps.dev
Purl: pkg:nuget/jQuery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.4

Fixed

3.4.0

Affected versions

1.*

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0

1.7.1

1.7.1.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

1.10.0

1.10.0.1

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

2.*

2.0.0

2.0.1

2.0.1.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

3.*

3.0.0

3.0.0.1

3.1.0

3.1.1

3.2.1

3.3.1

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0a1

Fixed

2.1.9

Affected versions

2.*

2.0a1

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.12

2.0.13

2.1a1

2.1b1

2.1rc1

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.7

2.1.8

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2a1

Fixed

2.2.2

Affected versions

2.*

2.2a1

2.2b1

2.2rc1

2.2

2.2.1

Maven / org.webjars.npm:jquery

Package

Name: org.webjars.npm:jquery; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.npm/jquery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.4

Fixed

3.4.0

Affected versions

1.*

1.7.2

1.7.3

1.8.2

1.8.3

1.9.1

1.11.0

1.11.1

1.11.3

1.12.1

1.12.2

1.12.3

1.12.4

2.*

2.1.0

2.1.1-rc1

2.1.1-rc2

2.1.1

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

3.*

3.0.0-alpha1

3.0.0-beta1

3.0.0-rc1

3.0.0

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1