[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006
security-news at drupal.org
security-news at drupal.org
Wed Apr 17 20:50:46 UTC 2019
View online: https://www.drupal.org/sa-core-2019-006
Project: Drupal core [1]
Date: 2019-April-17
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description:
The jQuery project released version 3.4.0, and as part of that, disclosed a
security vulnerability that affects all prior versions. As described in their
release notes [3]:
>jQuery 3.4.0 includes a fix for some unintended behavior when using
>jQuery.extend(true, {}, ...). If an unsanitized source object contained an
>enumerable __proto__ property, it could extend the native Object.prototype.
>This fix is included in jQuery 3.4.0, but patch diffs exist to patch
>previous jQuery versions.
>
It's possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the fix to
jQuery.extend(), without making any other changes to the jQuery version that
is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or
running on the site via some other module such as jQuery Update [4].
Solution:
Install the latest version:
* If you are using Drupal 8.6, update to Drupal 8.6.15 [5].
* If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 [6].
* If you are using Drupal 7, update to Drupal 7.66 [7].
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.
Also see the Drupal core [8] project page.
.... Additional information
All advisories released today:
* SA-CORE-2019-005 [9]
* SA-CORE-2019-006 [10]
Updating to the latest Drupal core release will apply the fixes for all the
above advisories.
Reported By:
* dtv_rb [11]
* Jess [12] of the Drupal Security Team
Fixed By:
* Alex Bronstein [13] of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Lauri Eskola [16]
* Greg Knaddison [17] of the Drupal Security Team
* Neil Drumm [18] of the Drupal Security Team
* Samuel Mortenson [19] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
[4] https://www.drupal.org/project/jquery_update
[5] https://www.drupal.org/project/drupal/releases/8.6.15
[6] https://www.drupal.org/project/drupal/releases/8.5.15
[7] https://www.drupal.org/project/drupal/releases/7.66
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/sa-core-2019-005
[10] https://www.drupal.org/sa-core-2019-006
[11] https://www.drupal.org/user/3528196
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1078742
[17] https://www.drupal.org/user/36762
[18] https://www.drupal.org/user/3064
[19] https://www.drupal.org/user/2582268
More information about the Security-news
mailing list