Moderately critical Drupal core update - Cross Site Scripting - SA-CORE-2019-006

Project: Drupal core
Date: 2019-April-17
Security risk: Moderately critical 10∕25
Vulnerability: Cross Site Scripting
CVE IDs: CVE-2019-11358

Description

The jQuery project released version 3.4.0 with the following security vulnerability disclosure that affects all prior versions:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

As Drupal Security Team suggests it's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

Solution

Install the latest version:

• If you are using Drupal 8.6, update to Drupal 8.6.15.
• If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
• If you are using Drupal 7, update to Drupal 7.66.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.