[3.10] drupal7: Cross Site Scripting (CVE-2019-11358)
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
products, mishandles jQuery.extend(true, {}, …)
because of Object.prototype pollution. If an unsanitized source object
contained an enumerable proto property,
it could extend the native Object.prototype.
Fixed In Version:
drupal 7.66
References:
https://www.drupal.org/sa-core-2019-006
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
(from redmine: issue id 10317, created on 2019-04-23, closed on 2019-06-20)
- Relations:
- parent #10316