CVE-2019-11358

Name of the Vulnerable Software and Affected Versions jQuery versions 1.1.4 through 3.4.0

Description The issue is related to the jQuery.extend() function, which mishandles the proto property, allowing an attacker to exploit Object.prototype pollution. This could lead to a denial of service, execution of arbitrary JavaScript code, or privilege escalation, depending on the context in which the function is used. The vulnerability can be exploited by a remote attacker using a specially crafted JavaScript object.

Recommendations For jQuery versions 1.1.4 through 3.4.0, update to version 3.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the jQuery.extend(true, {}, ...) function until a patch is available. Restrict access to the vulnerable Object.prototype to minimize the risk of exploitation. Avoid using the proto property in the affected API endpoints until the issue is resolved.