CVE-2019-11358
gem/jquery-rails
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
jQuery, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...)
because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__
property, it could extend the native Object.prototype.
All versions before 4.3.4
Upgrade to version 4.3.4 or above
2021-10-13
source |