Object Prototype Pollution in jQuery Used by Drupal and Backdrop CMS
CVE-2019-11358

6.1MEDIUM

Key Information:

Vendor: Jquery
Status: Jquery
Vendor: CVE Published:; 20 April 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in versions of jQuery before 3.4.0, as utilized in Drupal and Backdrop CMS, where improper handling of Object.prototype can lead to prototype pollution. Specifically, if an unsanitized source object contains an enumerable proto property, it allows attackers to modify the native Object.prototype, potentially impacting the behavior of JavaScript objects in the affected applications. This issue can be leveraged to execute arbitrary code and cause further exploitation within web applications.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

snyk-js-jquery-174006
Created by DanielRuf

jquery-prototype-pollution-fix
Created by bitnesswise

https-nj.gov---CVE-2019-11358
Created by Snorlyd

References

https://www.drupal.org/sa-core-2019-006

https://www.synology.com/security/advisory/Synology_SA_19_19

https://www.debian.org/security/2019/dsa-4434

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Aug 5, 2023
👾
Exploit known to exist
Aug 5, 2023
Vulnerability published
Apr 20, 2019
Vulnerability Reserved
Apr 19, 2019