Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.Solution: Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Also see the Drupal core project page.
Additional information
All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.Reported By: 

Fixed By: 

Path to article https://www.drupal.org/sa-core-2019-006