Cross-Site Scripting in jQuery before 3.4.0

Categories: Development Created by Oliver Hader
It has been discovered that 3rd party library jQuery bundled with TYPO3 is vulnerable to cross-site scripting through prototype pollution.
  • Release Date: Date: May 7, 2019
  • Component: jQuery (bundled in TYPO3 core package, ext:core)
  • Impact: Cross-Site Scripting, Known Vulnerability
  • Affected Versions: all jQuery versions before 3.4.0
  • CVE: CVE-2019-11358

Problem Description

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Compromised JSON results can lead to modified behavior of a whole JavaScript application if passed through jQuery.extend like shown in the following example (source https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/).

jQuery.extend(true, {},
  JSON.parse('{"__proto__": {"test": true}}')
);
console.log( "test" in {} ); // true

Solution

An official fix has been released with jQuery version 3.4.0 which also contains code deprecations. In order to keep backward compatibility TYPO3 just integrated according minimal changes that address the vulnerability described.

Update to TYPO3 version 8.7.25 or 9.5.6 that fix the problem.

Patch diffs for previous jQuery versions are available at https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Extension authors bundling jQuery versions with their source code are advised to upgrade or patch those vulnerable versions accordingly.

Credits

Thanks to Daniel Ruf for providing patch diffs for previous jQuery versions.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.