Moderately critical Drupal core update - Cross Site Scripting - SA-CORE-2019-006

Moderately critical Drupal core update - Cross Site Scripting - SA-CORE-2019-006

Project: Drupal core
Date: 2019-April-17
Security risk: Moderately critical 10∕25
Vulnerability: Cross Site Scripting
CVE IDs: CVE-2019-11358


The jQuery project released version 3.4.0 with the following security vulnerability disclosure that affects all prior versions:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

As Drupal Security Team suggests it's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.


Install the latest version:

  • If you are using Drupal 8.6, update to Drupal 8.6.15.
  • If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
  • If you are using Drupal 7, update to Drupal 7.66.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.