Exploited
high
7.5
CWE
79 1321 20
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2019-11358: XSS

First published: Wed Mar 27 2019(Updated: )

A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/ansible-tower<0:3.5.2-1.el7a
0:3.5.2-1.el7a
redhat/cfme<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-amazon-smartstate<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-appliance<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-gemset<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/ovirt-ansible-hosted-engine-setup<0:1.0.23-1.el7e
0:1.0.23-1.el7e
redhat/ovirt-ansible-roles<0:1.1.7-1.el7e
0:1.1.7-1.el7e
redhat/ovirt-ansible-vm-infra<0:1.1.19-1.el7e
0:1.1.19-1.el7e
redhat/v2v-conversion-host<0:1.14.2-1.el7e
0:1.14.2-1.el7e
redhat/ipa<0:4.6.8-5.el7
0:4.6.8-5.el7
redhat/pcs<0:0.9.169-3.el7_9.3
0:0.9.169-3.el7_9.3
redhat/pcs<0:0.10.10-4.el8
0:0.10.10-4.el8
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el8ea
0:3.3.16-1.Final_redhat_00001.1.el8ea
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el9ea
0:3.3.16-1.Final_redhat_00001.1.el9ea
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el7ea
0:3.3.16-1.Final_redhat_00001.1.el7ea
redhat/atomic-enterprise-service-catalog<1:3.11.170-1.git.1.91db82e.el7
1:3.11.170-1.git.1.91db82e.el7
redhat/atomic-openshift<0:3.11.170-1.git.0.00cac56.el7
0:3.11.170-1.git.0.00cac56.el7
redhat/atomic-openshift-cluster-autoscaler<0:3.11.170-1.git.1.0a0df6a.el7
0:3.11.170-1.git.1.0a0df6a.el7
redhat/atomic-openshift-descheduler<0:3.11.170-1.git.1.9ad83f2.el7
0:3.11.170-1.git.1.9ad83f2.el7
redhat/atomic-openshift-dockerregistry<0:3.11.170-1.git.1.55fab05.el7
0:3.11.170-1.git.1.55fab05.el7
redhat/atomic-openshift-metrics-server<0:3.11.170-1.git.1.357f177.el7
0:3.11.170-1.git.1.357f177.el7
redhat/atomic-openshift-node-problem-detector<0:3.11.170-1.git.1.b1f90a6.el7
0:3.11.170-1.git.1.b1f90a6.el7
redhat/atomic-openshift-service-idler<0:3.11.170-1.git.1.8328979.el7
0:3.11.170-1.git.1.8328979.el7
redhat/atomic-openshift-web-console<0:3.11.170-1.git.1.3d64e8b.el7
0:3.11.170-1.git.1.3d64e8b.el7
redhat/cri-o<0:1.11.16-0.5.dev.rhaos3.11.git3f89eba.el7
0:1.11.16-0.5.dev.rhaos3.11.git3f89eba.el7
redhat/golang-github-openshift-oauth-proxy<0:3.11.170-1.git.1.b49be83.el7
0:3.11.170-1.git.1.b49be83.el7
redhat/golang-github-prometheus-alertmanager<0:3.11.170-1.git.1.61d7960.el7
0:3.11.170-1.git.1.61d7960.el7
redhat/golang-github-prometheus-prometheus<0:3.11.170-1.git.1.227bc98.el7
0:3.11.170-1.git.1.227bc98.el7
redhat/jenkins<0:2.204.2.1580891656-1.el7
0:2.204.2.1580891656-1.el7
redhat/jenkins<2-plugins-0:3.11.1579107288-1.el7
2-plugins-0:3.11.1579107288-1.el7
redhat/openshift-ansible<0:3.11.170-2.git.5.8802564.el7
0:3.11.170-2.git.5.8802564.el7
redhat/openshift-enterprise-autoheal<0:3.11.170-1.git.1.dfe6c52.el7
0:3.11.170-1.git.1.dfe6c52.el7
redhat/openshift-enterprise-cluster-capacity<0:3.11.170-1.git.1.661684b.el7
0:3.11.170-1.git.1.661684b.el7
redhat/openshift-kuryr<0:3.11.170-1.git.1.7265da1.el7
0:3.11.170-1.git.1.7265da1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
0:18.0.6-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el9
0:18.0.6-1.redhat_00001.1.el9
redhat/ovirt-engine-api-explorer<0:0.0.5-1.el7e
0:0.0.5-1.el7e
redhat/ovirt-engine-ui-extensions<0:1.0.10-1.el7e
0:1.0.10-1.el7e
redhat/ovirt-web-ui<0:1.6.0-1.el7e
0:1.6.0-1.el7e
debian/jquery<=3.1.1-2<=3.3.1~dfsg-1
3.3.1~dfsg-2
3.1.1-2+deb9u1
redhat/jquery<3.4.0
3.4.0
redhat/drupal<7.66
7.66
composer/maximebf/debugbar<1.19.0
1.19.0
maven/org.webjars.npm:jquery>=1.1.4<3.4.0
3.4.0
nuget/jQuery>=1.1.4<3.4.0
3.4.0
npm/jquery>=1.1.4<3.4.0
3.4.0
pip/django>=2.2a1<2.2.2
2.2.2
pip/django>=2.0a1<2.1.9
2.1.9
rubygems/jquery-rails<4.3.4
4.3.4
jQuery=3.4.0
IBM ApplinX<=11.1
OSIsoft PI Asset Framework (AF) Client
OSIsoft PI Software Development Kit (SDK)
OSIsoft PI API
OSIsoft PI API
OSIsoft PI Buffer Subsystem
OSIsoft PI Connector for BACnet
OSIsoft PI Connector for CygNet
OSIsoft PI Connector for DC Systems RTscada
OSIsoft PI Connector for Ethernet/IP
OSIsoft
OSIsoft PI Connector for Ping
OSIsoft PI Connector for Wonderware Historian
OSIsoft PI Connector Relay
OSIsoft PI Data Archive
OSIsoft PI Data Collection Manager
OSIsoft PI Integrator for Business Analytics
OSIsoft PI Interface Configuration Utility
OSIsoft PI to OCS
jQuery<3.4.0
Debian Linux=8.0
Debian Linux=9.0
Debian Linux=10.0
Drupal>=7.0<7.66
Drupal>=8.5.0<8.5.15
Drupal>=8.6.0<8.6.15
Backdrop>=1.11.0<1.11.9
Backdrop>=1.12.0<1.12.6
Red Hat Fedora=28
Red Hat Fedora=29
Red Hat Fedora=30
openSUSE Backports=15.0-sp1
SUSE Linux=15.1
NetApp System Manager>=3.0<=3.1.3
NetApp SnapCenter
Red Hat CloudForms=4.7
Red Hat Enterprise Virtualization Manager=4.3
Oracle Agile Product Lifecycle Management=6.1
Oracle Agile Product Lifecycle Management=6.2.0.0
Oracle Agile Product Lifecycle Management=6.2.1.0
Oracle Agile Product Lifecycle Management=6.2.2.0
Oracle Agile Product Lifecycle Management=6.2.3.0
Oracle Application Express<19.1
Oracle Application Service Level Management=13.2.0.0
Oracle Application Service Level Management=13.3.0.0
Oracle Application Testing Suite=12.5.0.3
Oracle Application Testing Suite=13.1.0.1
Oracle Application Testing Suite=13.2
Oracle Application Testing Suite=13.2.0.1
Oracle Application Testing Suite=13.3
Oracle Application Testing Suite=13.3.0.1
Oracle Banking Digital Experience=18.1
Oracle Banking Digital Experience=18.2
Oracle Banking Digital Experience=18.3
Oracle Banking Digital Experience=19.1
Oracle Banking Digital Experience=19.2
Oracle Banking Digital Experience=20.1
Oracle Banking Enterprise Collections>=2.7.0<=2.8.0
Oracle Banking Platform>=2.4.0<=2.10.0
Oracle Analytics Publisher=5.5.0.0.0
Oracle Analytics Publisher=12.2.1.3.0
Oracle Analytics Publisher=12.2.1.4.0
Oracle Big Data Discovery=1.6
Oracle Business Process Management Suite=12.2.1.3.0
Oracle Business Process Management Suite=12.2.1.4.0
Oracle Communications Analytics=12.1.1
Oracle Communications Application Session Controller=3.8m0
Oracle Communications Billing and Revenue Management=7.5
Oracle Communications Billing and Revenue Management=7.5.0.23.0
Oracle Communications Billing and Revenue Management=12.0
Oracle Communications Billing and Revenue Management=12.0.0.3.0
Oracle Communications Diameter Signaling Router=8.0.0
Oracle Communications Diameter Signaling Router=8.1
Oracle Communications Diameter Signaling Router=8.2
Oracle Communications Diameter Signaling Router=8.2.1
Oracle Communications Eagle>=16.1.0<=16.4.0
Oracle Communications Element Manager=8.1.1
Oracle Communications Element Manager=8.2.0
Oracle Communications Element Manager=8.2.1
Oracle Communications Interactive Session Recorder>=6.0<=6.4
Oracle Communications Operations Monitor>=4.1<=4.3
Oracle Communications Operations Monitor=3.4
Oracle Communications Operations Monitor=4.0
Oracle Communications Operations Monitor=4.1.0
GNU Gatekeeper=7.0
Oracle Communications Session Report Manager=8.1.1
Oracle Communications Session Report Manager=8.2.0
Oracle Communications Session Report Manager=8.2.1
Oracle Communications Session Route Manager=8.1.1
Oracle Communications Session Route Manager=8.2.0
Oracle Communications Session Route Manager=8.2.1
Oracle Communications Unified Inventory Management=7.3
Oracle Communications Unified Inventory Management=7.4.0
Oracle WebRTC Session Controller=7.2
Oracle Diagnostic Assistant=2.12.36
Oracle Enterprise Manager Ops Center=12.3.3
Oracle Enterprise Manager Ops Center=12.4.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle Enterprise Session Border Controller=8.4
Oracle Financial Services Analytical Applications Infrastructure>=7.3.3<=7.3.5
Oracle Financial Services Analytical Applications Infrastructure>=8.0.2<=8.1.0
Oracle Financial Services Analytical Applications Reconciliation Framework>=8.0.4<=8.0.7
Oracle Financial Services Analytical Applications Reconciliation Framework=8.1.0
Oracle Financial Services Asset Liability Management>=8.0.4<=8.0.7
Oracle Financial Services Asset Liability Management=8.1.0
Oracle Financial Services Balance Sheet Planning=8.0.8
Oracle Financial Services Basel Regulatory Capital Basic>=8.0.4<=8.0.7
Oracle Financial Services Basel Regulatory Capital Basic=8.1.0
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach>=8.0.4<=8.0.7
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach=8.1.0
Oracle Financial Services Data Foundation>=8.0.4<=8.0.8
Oracle Financial Services Data Governance for US Regulatory Reporting>=8.0.6<=8.0.9
Oracle Financial Services Data Integration Hub>=8.0.5<=8.0.7
Oracle Financial Services Data Integration Hub=8.1.0
Oracle Financial Services Enterprise Financial Performance Analytics=8.0.6
Oracle Financial Services Enterprise Financial Performance Analytics=8.0.7
Oracle Financial Services Funds Transfer Pricing>=8.0.4<=8.0.7
Oracle Financial Services Funds Transfer Pricing=8.1.0
Oracle Financial Services Hedge Management and IFRS Valuations>=8.0.4<=8.0.7
Oracle Financial Services Hedge Management and IFRS Valuations=8.1.0
Oracle Financial Services Institutional Performance Analytics>=8.0.4<=8.0.7
Oracle Financial Services Institutional Performance Analytics=8.1.0
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.0.1.0
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.2
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.4.0.0
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.5.0.0
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.6
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.7
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.8
Oracle Financial Services Liquidity Risk Measurement and Management=8.1.0
Oracle Financial Services Loan Loss Forecasting and Provisioning>=8.0.2<=8.0.7
Oracle Financial Services Loan Loss Forecasting and Provisioning=8.1.0
Oracle Financial Services Market Risk Measurement and Management=8.0.5
Oracle Financial Services Market Risk Measurement and Management=8.0.6
Oracle Financial Services Market Risk Measurement and Management=8.0.8
Oracle Financial Services Price Creation and Discovery>=8.0.4<=8.0.7
Oracle Financial Services Profitability Management>=8.0.4<=8.0.7
Oracle Financial Services Profitability Management=8.1.0
Oracle Financial Services Regulatory Reporting=8.0.4
Oracle Financial Services Regulatory Reporting with AgileREPORTER=8.0.6
Oracle Financial Services Regulatory Reporting with AgileREPORTER=8.0.7
Oracle Financial Services Regulatory Reporting>=8.0.4<=8.0.7
Oracle Financial Services Retail Customer Analytics>=8.0.4<=8.0.6
Oracle Financial Services Retail Performance Analytics=8.0.6
Oracle Financial Services Retail Performance Analytics=8.0.7
Oracle Financial Services Revenue Management and Billing=2.4.0.0
Oracle Financial Services Revenue Management and Billing=2.4.0.1
Oracle Spatial and Graph MapViewer=12.2.1.3.0
Oracle Healthcare Foundation=7.1.1
Oracle Healthcare Foundation=7.2.0
Oracle Healthcare Foundation=7.2.2
Oracle Healthcare Foundation=7.3.0
Oracle Healthcare Translational Research=3.1.0
Oracle Healthcare Translational Research=3.2.1
Oracle Healthcare Translational Research=3.3.1
Oracle Healthcare Translational Research=3.3.2
Oracle Healthcare Translational Research=3.4.0
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Hospitality Materials Control=18.1
Oracle Hospitality Simphony>=19.1.0<=19.1.2
Oracle Hospitality Simphony=18.1
Oracle Hospitality Simphony=18.2
Oracle Identity Management Suite=12.2.1.3.0
Oracle Insurance Accounting Analyzer=8.0.9
Oracle Insurance Allocation Manager for Enterprise Profitability=8.0.8
Oracle Insurance Allocation Manager for Enterprise Profitability=8.1.0
Oracle Insurance Data Foundation>=8.0.4<=8.0.7
Oracle Insurance IFRS 17 Analyzer=8.0.6
Oracle Insurance IFRS 17 Analyzer=8.0.7
Oracle Insurance Insbridge Rating and Underwriting>=5.0.0.0<=5.6.0.0
Oracle Insurance Insbridge Rating and Underwriting=5.6.1.0
Oracle Insurance Performance Insight=8.0.7
Oracle JD Edwards EnterpriseOne Tools=9.2
Oracle JDeveloper=11.1.1.9.0
Oracle JDeveloper=12.2.1.3.0
Oracle JDeveloper=12.2.1.4.0
Oracle JDeveloper=11.1.1.9.0
Oracle JDeveloper=12.1.3.0.0
Oracle JDeveloper=12.2.1.3.0
Oracle Knowledge>=8.6.0<=8.6.3
Oracle PeopleTools=8.55
Oracle PeopleTools=8.56
Oracle PeopleTools=8.57
Oracle PeopleTools=8.58
Oracle Policy Automation>=12.2.0<=12.2.15
Oracle Policy Automation=10.4.7
Oracle Policy Automation=12.1.0
Oracle Policy Automation=12.1.1
Oracle Policy Automation=10.4.6
Oracle Policy Automation>=12.2.0<=12.2.15
Oracle Primavera Gateway>=16.2.0<=16.2.11
Oracle Primavera Gateway>=17.12.0<=17.12.7
Oracle Primavera Gateway>=18.8.0<=18.8.9
Oracle Primavera Gateway>=19.12.0<=19.12.4
Oracle Primavera Gateway=15.2.18
Oracle Unifier>=17.7<=17.12
Oracle Unifier=16.1
Oracle Unifier=16.2
Oracle Unifier=18.8
Oracle Real-Time Scheduler>=2.3.0.1<=2.3.0.3
Oracle REST Data Services=11.2.0.4
Oracle REST Data Services=12.1.0.2
Oracle REST Data Services=12.2.0.1
Oracle REST Data Services=18c
Oracle REST Data Services=19c
Oracle Retail Back Office=14.0
Oracle Retail Back Office=14.1
Oracle Retail Central Office=14.0
Oracle Retail Central Office=14.1
Oracle Retail Customer Insights=15.0
Oracle Retail Customer Insights=16.0
Oracle Customer Management and Segmentation Foundation=18.0
Oracle Customer Management and Segmentation Foundation=19.0
Oracle Retail Point-of-Sale=14.0
Oracle Retail Point-of-Sale=14.1
Oracle Retail Returns Management=14.0
Oracle Retail Returns Management=14.1
Oracle Service Bus=11.1.1.9.0
Oracle Service Bus=12.1.3.0.0
Oracle Service Bus=12.2.1.3.0
Oracle Siebel Mobile<=19.8
Oracle Siebel User Interface Framework=20.8
Oracle Storagetek Tape Analytics=2.3.0
Oracle Utilities=19.1
Oracle StorageTek ACSLS=8.5
Oracle StorageTek ACSLS=8.5.1
Oracle Transportation Execution=1.4.3
Oracle Utilities>=2.3.0.1<=2.3.0.3
Oracle WebCenter Sites=12.2.1.3.0
Oracle WebLogic Server=10.3.6.0.0
Oracle WebLogic Server=12.1.3.0.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Joomla>=3.0.0<=3.9.4
Junos OS Evolved=21.2
debian/mediawiki
1:1.35.13-1+deb11u2
1:1.35.13-1+deb11u3
1:1.39.10-1~deb12u1
1:1.39.12-1~deb12u1
1:1.43.1+dfsg-1
1:1.43.1+dfsg-2
debian/node-jquery
3.5.1+dfsg+~3.5.5-7
3.6.1+dfsg+~3.5.14-1
debian/otrs2
6.0.32-6

Remedy

http://seclists.org/fulldisclosure/2019/May/11

Remedy

http://seclists.org/fulldisclosure/2019/May/13

Remedy

http://www.openwall.com/lists/oss-security/2019/06/03/2

Remedy

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Remedy

https://github.com/jquery/jquery/pull/4333

Remedy

https://seclists.org/bugtraq/2019/May/18

Remedy

https://snyk.io/vuln/SNYK-JS-JQUERY-174006

Remedy

https://www.drupal.org/sa-core-2019-006

Remedy

https://www.oracle.com//security-alerts/cpujul2021.html

Remedy

https://www.oracle.com/security-alerts/cpuApr2021.html

Remedy

https://www.oracle.com/security-alerts/cpuapr2020.html

Remedy

https://www.oracle.com/security-alerts/cpujan2021.html

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Remedy

https://www.oracle.com/security-alerts/cpujul2020.html

Remedy

https://www.oracle.com/security-alerts/cpuoct2020.html

Remedy

https://www.oracle.com/security-alerts/cpuoct2021.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Remedy

https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/

Remedy

https://www.oracle.com/security-alerts/cpujan2020.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2019-11358?

    CVE-2019-11358 has a severity rating of Medium according to the Common Vulnerability Scoring System (CVSS).

  • How do I fix CVE-2019-11358?

    To remediate CVE-2019-11358, you should upgrade jQuery to version 3.4.0 or later.

  • Which software is affected by CVE-2019-11358?

    CVE-2019-11358 affects multiple software packages including jQuery versions prior to 3.4.0 and various tools that depend on those versions.

  • What type of vulnerability is CVE-2019-11358?

    CVE-2019-11358 is classified as a Prototype Pollution vulnerability.

  • What are the potential consequences of CVE-2019-11358?

    Exploitation of CVE-2019-11358 could result in denial of service or unauthorized modifications to objects in the application.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203