- Release Date: Date: May 7, 2019
- Component: jQuery (bundled in TYPO3 core package, ext:core)
- Impact: Cross-Site Scripting, Known Vulnerability
- Affected Versions: all jQuery versions before 3.4.0
- CVE: CVE-2019-11358
Problem Description
jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Compromised JSON results can lead to modified behavior of a whole JavaScript application if passed through jQuery.extend like shown in the following example (source https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/).
jQuery.extend(true, {},
JSON.parse('{"__proto__": {"test": true}}')
);
console.log( "test" in {} ); // true
Solution
An official fix has been released with jQuery version 3.4.0 which also contains code deprecations. In order to keep backward compatibility TYPO3 just integrated according minimal changes that address the vulnerability described.
Update to TYPO3 version 8.7.25 or 9.5.6 that fix the problem.
Patch diffs for previous jQuery versions are available at https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
Extension authors bundling jQuery versions with their source code are advised to upgrade or patch those vulnerable versions accordingly.
Credits
Thanks to Daniel Ruf for providing patch diffs for previous jQuery versions.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.