[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

security-news at drupal.org security-news at drupal.org
Wed Apr 17 20:50:46 UTC 2019


View online: https://www.drupal.org/sa-core-2019-006

Project: Drupal core [1]
Date: 2019-April-17
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
The jQuery project released version 3.4.0, and as part of that, disclosed a
security vulnerability that affects all prior versions. As described in their
release notes [3]:

  >jQuery 3.4.0 includes a fix for some unintended behavior when using
  >jQuery.extend(true, {}, ...). If an unsanitized source object contained an
  >enumerable __proto__ property, it could extend the native Object.prototype.
  >This fix is included in jQuery 3.4.0, but patch diffs exist to patch
  >previous jQuery versions.
  >
It's possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the fix to
jQuery.extend(), without making any other changes to the jQuery version that
is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or
running on the site via some other module such as jQuery Update [4].

Solution: 
Install the latest version:

   * If you are using Drupal 8.6, update to Drupal 8.6.15 [5].
   * If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 [6].
   * If you are using Drupal 7, update to Drupal 7.66 [7].

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

Also see the Drupal core [8] project page.

.... Additional information

All advisories released today:

   * SA-CORE-2019-005 [9]
   * SA-CORE-2019-006 [10]

Updating to the latest Drupal core release will apply the fixes for all the
above advisories.

Reported By: 
   * dtv_rb  [11]
   * Jess   [12] of the Drupal Security Team

Fixed By: 
   * Alex Bronstein  [13] of the Drupal Security Team
   * Lee Rowlands  [14] of the Drupal Security Team
   * Jess   [15] of the Drupal Security Team
   * Lauri Eskola  [16]
   * Greg Knaddison  [17] of the Drupal Security Team
   * Neil Drumm  [18] of the Drupal Security Team
   * Samuel Mortenson  [19] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
[4] https://www.drupal.org/project/jquery_update
[5] https://www.drupal.org/project/drupal/releases/8.6.15
[6] https://www.drupal.org/project/drupal/releases/8.5.15
[7] https://www.drupal.org/project/drupal/releases/7.66
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/sa-core-2019-005
[10] https://www.drupal.org/sa-core-2019-006
[11] https://www.drupal.org/user/3528196
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1078742
[17] https://www.drupal.org/user/36762
[18] https://www.drupal.org/user/3064
[19] https://www.drupal.org/user/2582268



More information about the Security-news mailing list