CVE-2019-11358
mediawiki - security update
6.1
MEDIUM
CVSS 3.1
EPSS 1.5%
Description
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
How to fix CVE-2019-11358
To remediate CVE-2019-11358, upgrade the affected package to a fixed version below.
- Debian/drupal7—upgrade to 7.52-2+deb9u8 or later
- —upgrade to 7.32-1+deb8u17 or later
- —upgrade to 1.7.2+dfsg-3.2+deb8u6 or later
- —upgrade to 1:1.31.2-1 or later
- —upgrade to 1:1.27.7-1~deb9u1 or later
- —upgrade to 2.2.4+dfsg-4 or later
- —upgrade to 6.0.26-1 or later
- —upgrade to 3.3.18-1+deb8u14 or later
- —upgrade to 6.0.16-2+deb10u1 or later
- —upgrade to 3.4.0 or later
- —upgrade to 3.4.0 or later
- —upgrade to 3.4.0 or later
- —upgrade to 8.5.15 or later
- —upgrade to 1.19.0 or later
- —upgrade to 2.1.9 or later
- —upgrade to 4.3.4 or later
Is CVE-2019-11358 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (16)
- from 0, < 7.52-2+deb9u8
- from 0, < 7.32-1+deb8u17
- from 0, < 1.7.2+dfsg-3.2+deb8u6
- from 0, < 1:1.31.2-1
- from 0, < 1:1.27.7-1~deb9u1
- from 0, < 2.2.4+dfsg-4
- from 0, < 6.0.26-1
- from 0, < 3.3.18-1+deb8u14
- from 0, < 6.0.16-2+deb10u1
- >= 1.1.4, < 3.4.0
- >= 1.1.4, < 3.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |