Oxygen-SA-19-01 jQuery 3.1.1

Severity: Low2019-10-29 17:48:14

Abstract

CVE-2019-11358 allow intruders to extend the native Object.prototype when an unsanitized source object contained an enumerable __proto__ property.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML EditorLowResolved
Oxygen XML DeveloperLowResolved
Oxygen XML AuthorLowResolved
Oxygen WebHelpLowResolved

Mitigation

None

Detail

CVE-2019-11358

Severity: Low

CVSS Score: 4.3

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Reference

CVE-2019-11358

Revision History

This issue was identified and responsibly reported by Stefan Vasile

If you require further assistance, or if you have any further questions regarding this security notice, please contact