You are here
Home > Preporuke > Nadogradnja za kritičnu ranjivost u CMS-u Drupal

Nadogradnja za kritičnu ranjivost u CMS-u Drupal

  • Detalji os-a: WN7
  • Važnost: URG
  • Operativni sustavi: W, M, U, L, O
  • Kategorije: ALL, W08, WN7, WN8, W12, W10, W16, W19, HPQ, LRH, LDE, LSU, FBS, LFE, LGE, LUB, APL

View online:

Project: Drupal core [1]
Date: 2019-April-17
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

The jQuery project released version 3.4.0, and as part of that, disclosed a
security vulnerability that affects all prior versions. As described in their
release notes [3]:

>jQuery 3.4.0 includes a fix for some unintended behavior when using
>jQuery.extend(true, {}, …). If an unsanitized source object contained an
>enumerable __proto__ property, it could extend the native Object.prototype.
>This fix is included in jQuery 3.4.0, but patch diffs exist to patch
>previous jQuery versions.
It’s possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the fix to
jQuery.extend(), without making any other changes to the jQuery version that
is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or
running on the site via some other module such as jQuery Update [4].

Install the latest version:

* If you are using Drupal 8.6, update to Drupal 8.6.15 [5].
* If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 [6].
* If you are using Drupal 7, update to Drupal 7.66 [7].

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

Also see the Drupal core [8] project page.

…. Additional information

All advisories released today:

* SA-CORE-2019-005 [9]
* SA-CORE-2019-006 [10]

Updating to the latest Drupal core release will apply the fixes for all the
above advisories.

Reported By:
* dtv_rb [11]
* Jess [12] of the Drupal Security Team

Fixed By:
* Alex Bronstein [13] of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Lauri Eskola [16]
* Greg Knaddison [17] of the Drupal Security Team
* Neil Drumm [18] of the Drupal Security Team
* Samuel Mortenson [19] of the Drupal Security Team


Security-news mailing list
Unsubscribe at

AutorToni Vugdelija
Cert idNCERT-REF-2019-04-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa rh-maven35-jackson-databind

Otkriveni su sigurnosni nedostaci u programskom paketu rh-maven35-jackson-databind za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju otkrivanje osjetljivih informacija,...