Home

CVE-2019-11358

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Risk Information

Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.838

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities affected in Oracle WebLogic Server 14.1.1.0.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 10.3.6.0.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.1.3.0.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0Windows
Multiple vulnerabilities are fixed in Nessus Agent (10.5.0)Windows
Multiple vulnerabilities are fixed in Nessus Agent (x64) (10.5.0)Windows
Multiple vulnerabilities are fixed in Tenable Nessus 10.5.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.4Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 12.0.3Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.55Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.56Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57Windows
Multiple vulnerabilities are affected in Oracle BI Publisher 12.2.1.3.0Windows
Multiple vulnerabilities are affected in Oracle BI Publisher 12.2.1.4.0Windows
Multiple vulnerabilities are affected in Oracle BI Publisher 5.5.0.0.0Windows
Vulnerabilities CVE-2019-11358 are affected in Oracle Financial Services Revenue Management and Billing 2.4.0.0Windows
Vulnerabilities CVE-2019-11358 are affected in Oracle Financial Services Revenue Management and Billing 2.4.0.1Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.1Windows
Vulnerabilities CVE-2019-11358,CVE-2019-5428 are fixed in WebJars - jquery 3.4.0Windows
Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.0Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.7Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.2.1Windows
Vulnerabilities CVE-2019-11358,CVE-2019-12308 are fixed in Python-django 2.1.9Windows
Vulnerabilities CVE-2019-11358,CVE-2019-12308 are fixed in Python-django 2.2.2Windows
Vulnerabilities CVE-2019-11358 are fixed in Ruby-jquery-rails 4.3.4Windows
Vulnerabilities CVE-2019-11358 are fixed in Nuget - jQuery 3.4.0Windows
drupal7 security update(DSA-4434-1) drupal7_7.52-2+deb9u8_all.debLinux
mediawiki security update(DSA-4460-1) mediawiki_1.27.7-1~deb9u1_all.debLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-client-4.6.8-5.el7.x86_64.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-client-common-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-common-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-python-compat-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-server-4.6.8-5.el7.x86_64.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-server-common-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-server-dns-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update python2-ipaclient-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update python2-ipalib-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:3936) ipa security, bug fix, and enhancement update python2-ipaserver-4.6.8-5.el7.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update apache-commons-net-3.6-3.module+el8.3.0+6805+72837426.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update jss-debugsource-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update jss-javadoc-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update ldapjdk-javadoc-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-base-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-base-java-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-ca-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-core-debugsource-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-kra-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-server-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-symkey-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update pki-tools-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update python3-pki-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update resteasy-3.0.26-3.module+el8.2.0+5723+4574fbff.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update stax-ex-1.7.7-8.module+el8.2.0+5723+4574fbff.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch.rpmLinux
(RHSA-2020:4847) pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update xmlstreambuffer-1.5.4-8.module+el8.2.0+5723+4574fbff.noarch.rpmLinux
Pcs update (ELSA-2022-7343) pcs-0.9.169-3.0.1.el7_9.3.x86_64.rpmLinux
Pcs-snmp update (ELSA-2022-7343) pcs-snmp-0.9.169-3.0.1.el7_9.3.x86_64.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) slf4j-1.7.25-4.module+el8.5.0+697+f586bb30.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) velocity-1.7-24.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) xalan-j2-2.7.1-38.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) javassist-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) xerces-j2-2.11.0-34.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) javassist-javadoc-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) apache-commons-net-3.6-3.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) apache-commons-lang-2.6-21.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) xml-commons-resolver-1.2-26.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) apache-commons-collections-3.2.2-10.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (RLSA-2020:4847) jakarta-commons-httpclient-3.1-28.module+el8.3.0+53+ea062990.noarch.rpmLinux
Apache-commons-collections update (ELSA-2020-4847) apache-commons-collections-3.2.2-10.module+el8.3.0+7697+44932688.noarch.rpmLinux
Apache-commons-lang update (ELSA-2020-4847) apache-commons-lang-2.6-21.module+el8.3.0+7697+44932688.noarch.rpmLinux
Apache-commons-net update (ELSA-2020-4847) apache-commons-net-3.6-3.module+el8.3.0+7697+44932688.noarch.rpmLinux
Bea-stax-api update (ELSA-2020-4847) bea-stax-api-1.2.0-16.module+el8.3.0+7697+44932688.noarch.rpmLinux
Glassfish-fastinfoset update (ELSA-2020-4847) glassfish-fastinfoset-1.2.13-9.module+el8.3.0+7697+44932688.noarch.rpmLinux
Glassfish-jaxb-api update (ELSA-2020-4847) glassfish-jaxb-api-2.2.12-8.module+el8.3.0+7697+44932688.noarch.rpmLinux
Glassfish-jaxb-core update (ELSA-2020-4847) glassfish-jaxb-core-2.2.11-11.module+el8.3.0+7697+44932688.noarch.rpmLinux
Glassfish-jaxb-runtime update (ELSA-2020-4847) glassfish-jaxb-runtime-2.2.11-11.module+el8.3.0+7697+44932688.noarch.rpmLinux
Glassfish-jaxb-txw2 update (ELSA-2020-4847) glassfish-jaxb-txw2-2.2.11-11.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-annotations update (ELSA-2020-4847) jackson-annotations-2.10.0-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-core update (ELSA-2020-4847) jackson-core-2.10.0-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-databind update (ELSA-2020-4847) jackson-databind-2.10.0-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-jaxrs-json-provider update (ELSA-2020-4847) jackson-jaxrs-json-provider-2.9.9-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-jaxrs-providers update (ELSA-2020-4847) jackson-jaxrs-providers-2.9.9-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jackson-module-jaxb-annotations update (ELSA-2020-4847) jackson-module-jaxb-annotations-2.7.6-4.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jakarta-commons-httpclient update (ELSA-2020-4847) jakarta-commons-httpclient-3.1-28.module+el8.3.0+7697+44932688.noarch.rpmLinux
Javassist update (ELSA-2020-4847) javassist-3.18.1-8.module+el8.3.0+7697+44932688.noarch.rpmLinux
Javassist-javadoc update (ELSA-2020-4847) javassist-javadoc-3.18.1-8.module+el8.3.0+7697+44932688.noarch.rpmLinux
Jss update (ELSA-2020-4847) jss-4.7.3-1.module+el8.3.0+7857+983338ee.x86_64.rpmLinux
Jss-javadoc update (ELSA-2020-4847) jss-javadoc-4.7.3-1.module+el8.3.0+7857+983338ee.x86_64.rpmLinux
Ldapjdk update (ELSA-2020-4847) ldapjdk-4.22.0-1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Ldapjdk-javadoc update (ELSA-2020-4847) ldapjdk-javadoc-4.22.0-1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-base update (ELSA-2020-4847) pki-base-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-base-java update (ELSA-2020-4847) pki-base-java-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-ca update (ELSA-2020-4847) pki-ca-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-kra update (ELSA-2020-4847) pki-kra-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-server update (ELSA-2020-4847) pki-server-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Pki-servlet-4.0-api update (ELSA-2020-4847) pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Pki-servlet-engine update (ELSA-2020-4847) pki-servlet-engine-9.0.30-1.module+el8.3.0+7697+44932688.noarch.rpmLinux
Pki-symkey update (ELSA-2020-4847) pki-symkey-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.x86_64.rpmLinux
Pki-tools update (ELSA-2020-4847) pki-tools-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.x86_64.rpmLinux
Python-nss-doc update (ELSA-2020-4847) python-nss-doc-1.0.1-10.module+el8.3.0+7697+44932688.x86_64.rpmLinux
Python3-nss update (ELSA-2020-4847) python3-nss-1.0.1-10.module+el8.3.0+7697+44932688.x86_64.rpmLinux
Python3-pki update (ELSA-2020-4847) python3-pki-10.9.4-1.0.1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
RelaxngDatatype update (ELSA-2020-4847) relaxngDatatype-2011.1-7.module+el8.3.0+7697+44932688.noarch.rpmLinux
Resteasy update (ELSA-2020-4847) resteasy-3.0.26-3.module+el8.3.0+7697+44932688.noarch.rpmLinux
Slf4j update (ELSA-2020-4847) slf4j-1.7.25-4.module+el8.3.0+7697+44932688.noarch.rpmLinux
Slf4j-jdk14 update (ELSA-2020-4847) slf4j-jdk14-1.7.25-4.module+el8.3.0+7697+44932688.noarch.rpmLinux
Stax-ex update (ELSA-2020-4847) stax-ex-1.7.7-8.module+el8.3.0+7697+44932688.noarch.rpmLinux
Tomcatjss update (ELSA-2020-4847) tomcatjss-7.5.0-1.module+el8.3.0+7857+983338ee.noarch.rpmLinux
Velocity update (ELSA-2020-4847) velocity-1.7-24.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xalan-j2 update (ELSA-2020-4847) xalan-j2-2.7.1-38.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xerces-j2 update (ELSA-2020-4847) xerces-j2-2.11.0-34.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xml-commons-apis update (ELSA-2020-4847) xml-commons-apis-1.4.01-25.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xml-commons-resolver update (ELSA-2020-4847) xml-commons-resolver-1.2-26.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xmlstreambuffer update (ELSA-2020-4847) xmlstreambuffer-1.5.4-8.module+el8.3.0+7697+44932688.noarch.rpmLinux
Xsom update (ELSA-2020-4847) xsom-0-19.20110809svn.module+el8.3.0+7697+44932688.noarch.rpmLinux
Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update python3-qrcode-5.1-12.module_el8.6.0+2737+7e73ea90.noarch.rpmLinux
Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update python3-qrcode-core-5.1-12.module_el8.6.0+2737+7e73ea90.noarch.rpmLinux
Vulnerabilities CVE-2019-11358,CVE-2019-5428 are fixed in WebJars - jquery for Linux 3.4.0Linux
Vulnerabilities CVE-2019-11358,CVE-2019-12308 are fixed in Python-django for linux 2.1.9Linux
Vulnerabilities CVE-2019-11358,CVE-2019-12308 are fixed in Python-django for linux 2.2.2Linux
Vulnerabilities CVE-2019-11358 are fixed in Ruby-jquery-rails for Linux 4.3.4Linux
Vulnerabilities CVE-2019-11358 are fixed in Nuget - jQuery for Linux 3.4.0Linux
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) Vulnerability (CVE-2019-11358)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-346981Nessus Agent (10.8.4) (Manual Upload Required)
PATCH-346982Nessus Agent (x64) (10.8.4) (Manual Upload Required)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234