CVE-2019-11358

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/jquery-rails

Identifiers

CVE-2019-11358

Package Slug

gem/jquery-rails

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

jQuery, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Affected Versions

All versions before 4.3.4

Solution

Upgrade to version 4.3.4 or above

Last Modified

2021-10-13

source