high
7.5
CWE
79 1321 20
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2019-11358: XSS

First published: Wed Mar 27 2019(Updated: )

A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/ansible-tower<0:3.5.2-1.el7a
0:3.5.2-1.el7a
redhat/cfme<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-amazon-smartstate<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-appliance<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/cfme-gemset<0:5.10.9.1-1.el7cf
0:5.10.9.1-1.el7cf
redhat/ovirt-ansible-hosted-engine-setup<0:1.0.23-1.el7e
0:1.0.23-1.el7e
redhat/ovirt-ansible-roles<0:1.1.7-1.el7e
0:1.1.7-1.el7e
redhat/ovirt-ansible-vm-infra<0:1.1.19-1.el7e
0:1.1.19-1.el7e
redhat/v2v-conversion-host<0:1.14.2-1.el7e
0:1.14.2-1.el7e
redhat/ipa<0:4.6.8-5.el7
0:4.6.8-5.el7
redhat/pcs<0:0.9.169-3.el7_9.3
0:0.9.169-3.el7_9.3
redhat/pcs<0:0.10.10-4.el8
0:0.10.10-4.el8
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el8ea
0:3.3.16-1.Final_redhat_00001.1.el8ea
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el9ea
0:3.3.16-1.Final_redhat_00001.1.el9ea
redhat/eap7-hal-console<0:3.3.16-1.Final_redhat_00001.1.el7ea
0:3.3.16-1.Final_redhat_00001.1.el7ea
redhat/atomic-enterprise-service-catalog<1:3.11.170-1.git.1.91db82e.el7
1:3.11.170-1.git.1.91db82e.el7
redhat/atomic-openshift<0:3.11.170-1.git.0.00cac56.el7
0:3.11.170-1.git.0.00cac56.el7
redhat/atomic-openshift-cluster-autoscaler<0:3.11.170-1.git.1.0a0df6a.el7
0:3.11.170-1.git.1.0a0df6a.el7
redhat/atomic-openshift-descheduler<0:3.11.170-1.git.1.9ad83f2.el7
0:3.11.170-1.git.1.9ad83f2.el7
redhat/atomic-openshift-dockerregistry<0:3.11.170-1.git.1.55fab05.el7
0:3.11.170-1.git.1.55fab05.el7
redhat/atomic-openshift-metrics-server<0:3.11.170-1.git.1.357f177.el7
0:3.11.170-1.git.1.357f177.el7
redhat/atomic-openshift-node-problem-detector<0:3.11.170-1.git.1.b1f90a6.el7
0:3.11.170-1.git.1.b1f90a6.el7
redhat/atomic-openshift-service-idler<0:3.11.170-1.git.1.8328979.el7
0:3.11.170-1.git.1.8328979.el7
redhat/atomic-openshift-web-console<0:3.11.170-1.git.1.3d64e8b.el7
0:3.11.170-1.git.1.3d64e8b.el7
redhat/cri-o<0:1.11.16-0.5.dev.rhaos3.11.git3f89eba.el7
0:1.11.16-0.5.dev.rhaos3.11.git3f89eba.el7
redhat/golang-github-openshift-oauth-proxy<0:3.11.170-1.git.1.b49be83.el7
0:3.11.170-1.git.1.b49be83.el7
redhat/golang-github-prometheus-alertmanager<0:3.11.170-1.git.1.61d7960.el7
0:3.11.170-1.git.1.61d7960.el7
redhat/golang-github-prometheus-prometheus<0:3.11.170-1.git.1.227bc98.el7
0:3.11.170-1.git.1.227bc98.el7
redhat/jenkins<0:2.204.2.1580891656-1.el7
0:2.204.2.1580891656-1.el7
redhat/jenkins<2-plugins-0:3.11.1579107288-1.el7
2-plugins-0:3.11.1579107288-1.el7
redhat/openshift-ansible<0:3.11.170-2.git.5.8802564.el7
0:3.11.170-2.git.5.8802564.el7
redhat/openshift-enterprise-autoheal<0:3.11.170-1.git.1.dfe6c52.el7
0:3.11.170-1.git.1.dfe6c52.el7
redhat/openshift-enterprise-cluster-capacity<0:3.11.170-1.git.1.661684b.el7
0:3.11.170-1.git.1.661684b.el7
redhat/openshift-kuryr<0:3.11.170-1.git.1.7265da1.el7
0:3.11.170-1.git.1.7265da1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
0:18.0.6-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el9
0:18.0.6-1.redhat_00001.1.el9
redhat/ovirt-engine-api-explorer<0:0.0.5-1.el7e
0:0.0.5-1.el7e
redhat/ovirt-engine-ui-extensions<0:1.0.10-1.el7e
0:1.0.10-1.el7e
redhat/ovirt-web-ui<0:1.6.0-1.el7e
0:1.6.0-1.el7e
debian/jquery<=3.1.1-2<=3.3.1~dfsg-1
3.3.1~dfsg-2
3.1.1-2+deb9u1
redhat/jquery<3.4.0
3.4.0
redhat/drupal<7.66
7.66
OSIsoft Applications using PI Asset Framework (AF) Client versions prior to and including PI AF Client 2018 SP3 Patch 1, Version 2.10.7.283
OSIsoft Applications using PI Software Development Kit (SDK) versions prior to and including PI SDK 2018 SP1, Version 1.4.7.602
OSIsoft PI API for Windows Integrated Security versions prior to and including 2.0.2.5,
OSIsoft PI API versions prior to and including 1.6.8.26
OSIsoft PI Buffer Subsystem versions prior to and including 4.8.0.18
OSIsoft PI Connector for BACnet, versions prior to and including 1.2.0.6
OSIsoft PI Connector for CygNet, versions prior to and including 1.4.0.17
OSIsoft PI Connector for DC Systems RTscada, versions prior to and including 1.2.0.42
OSIsoft PI Connector for Ethernet/IP, versions prior to and including 1.1.0.10
OSIsoft PI Connector for HART-IP, versions prior to and including 1.3.0.1
OSIsoft PI Connector for Ping, versions prior to and including 1.0.0.54
OSIsoft PI Connector for Wonderware Historian, versions prior to and including 1.5.0.88
OSIsoft PI Connector Relay, versions prior to and including 2.5.19.0
OSIsoft PI Data Archive versions prior to and including PI Data Archive 2018 SP3, Version 3.4.430.460
OSIsoft PI Data Collection Manager, versions prior to and including 2.5.19.0
OSIsoft PI Integrator for Business Analytics versions prior to and including 2018 R2 SP1, Version 2.2.0.183
OSIsoft PI Interface Configuration Utility (ICU) versions prior to and including 1.5.0.7
OSIsoft PI to OCS versions prior to and including 1.1.36.0
composer/maximebf/debugbar<1.19.0
1.19.0
maven/org.webjars.npm:jquery>=1.1.4<3.4.0
3.4.0
nuget/jQuery>=1.1.4<3.4.0
3.4.0
npm/jquery>=1.1.4<3.4.0
3.4.0
pip/django>=2.2a1<2.2.2
2.2.2
pip/django>=2.0a1<2.1.9
2.1.9
rubygems/jquery-rails<4.3.4
4.3.4
debian/mediawiki
1:1.35.13-1+deb11u2
1:1.35.13-1+deb11u3
1:1.39.10-1~deb12u1
1:1.39.10-1
debian/node-jquery
3.5.1+dfsg+~3.5.5-7
3.6.1+dfsg+~3.5.14-1
debian/otrs2
6.0.32-6
jQuery=3.4.0
IBM ApplinX<=11.1
jQuery<3.4.0
Debian=8.0
Debian=9.0
Debian=10.0
Drupal>=7.0<7.66
Drupal>=8.5.0<8.5.15
Drupal>=8.6.0<8.6.15
Backdrop CMS>=1.11.0<1.11.9
Backdrop CMS>=1.12.0<1.12.6
Fedora=28
Fedora=29
Fedora=30
openSUSE Backports=15.0-sp1
openSUSE=15.1
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp SnapCenter
Red Hat CloudForms=4.7
Red Hat Enterprise Virtualization Manager=4.3
Oracle Agile Product Lifecycle Management for Process=6.1
Oracle Agile Product Lifecycle Management for Process=6.2.0.0
Oracle Agile Product Lifecycle Management for Process=6.2.1.0
Oracle Agile Product Lifecycle Management for Process=6.2.2.0
Oracle Agile Product Lifecycle Management for Process=6.2.3.0
Oracle Application Express<19.1
oracle application service level management=13.2.0.0
oracle application service level management=13.3.0.0
Oracle Application Testing Suite=12.5.0.3
Oracle Application Testing Suite=13.1.0.1
Oracle Application Testing Suite=13.2
Oracle Application Testing Suite=13.2.0.1
Oracle Application Testing Suite=13.3
Oracle Application Testing Suite=13.3.0.1
Oracle Banking Digital Experience=18.1
Oracle Banking Digital Experience=18.2
Oracle Banking Digital Experience=18.3
Oracle Banking Digital Experience=19.1
Oracle Banking Digital Experience=19.2
Oracle Banking Digital Experience=20.1
oracle banking enterprise collections>=2.7.0<=2.8.0
oracle banking platform>=2.4.0<=2.10.0
Oracle BI Publisher=5.5.0.0.0
Oracle BI Publisher=12.2.1.3.0
Oracle BI Publisher=12.2.1.4.0
Oracle Big Data Discovery=1.6
Oracle Business Process Management Suite=12.2.1.3.0
Oracle Business Process Management Suite=12.2.1.4.0
oracle communications analytics=12.1.1
Oracle Communications Application Session Controller=3.8m0
Oracle Communications Billing and Revenue Management=7.5
Oracle Communications Billing and Revenue Management=7.5.0.23.0
Oracle Communications Billing and Revenue Management=12.0
Oracle Communications Billing and Revenue Management=12.0.0.3.0
Oracle Communications Diameter Signaling Router=8.0.0
Oracle Communications Diameter Signaling Router=8.1
Oracle Communications Diameter Signaling Router=8.2
Oracle Communications Diameter Signaling Router=8.2.1
Oracle Communications Eagle>=16.1.0<=16.4.0
oracle communications element manager=8.1.1
oracle communications element manager=8.2.0
oracle communications element manager=8.2.1
Oracle Communications Interactive Session Recorder>=6.0<=6.4
Oracle Communications Operations Monitor>=4.1<=4.3
Oracle Communications Operations Monitor=3.4
Oracle Communications Operations Monitor=4.0
Oracle Communications Operations Monitor=4.1.0
Oracle Communications Services Gatekeeper=7.0
oracle communications session report manager=8.1.1
oracle communications session report manager=8.2.0
oracle communications session report manager=8.2.1
oracle communications session route manager=8.1.1
oracle communications session route manager=8.2.0
oracle communications session route manager=8.2.1
Oracle Communications Unified Inventory Management=7.3
Oracle Communications Unified Inventory Management=7.4.0
Oracle WebRTC Session Controller=7.2
oracle diagnostic assistant=2.12.36
Oracle Enterprise Manager Ops Center=12.3.3
Oracle Enterprise Manager Ops Center=12.4.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle Enterprise Session Border Controller=8.4
Oracle Financial Services Analytical Applications Infrastructure>=7.3.3<=7.3.5
Oracle Financial Services Analytical Applications Infrastructure>=8.0.2<=8.1.0
Oracle Financial Services Analytical Applications Reconciliation Framework>=8.0.4<=8.0.7
Oracle Financial Services Analytical Applications Reconciliation Framework=8.1.0
Oracle Financial Services Asset Liability Management>=8.0.4<=8.0.7
Oracle Financial Services Asset Liability Management=8.1.0
Oracle Financial Services Balance Sheet Planning=8.0.8
Oracle Financial Services Basel Regulatory Capital Basic>=8.0.4<=8.0.7
Oracle Financial Services Basel Regulatory Capital Basic=8.1.0
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach>=8.0.4<=8.0.7
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach=8.1.0
Oracle Financial Services Data Foundation>=8.0.4<=8.0.8
oracle financial services data governance for us regulatory reporting>=8.0.6<=8.0.9
oracle financial services data integration hub>=8.0.5<=8.0.7
oracle financial services data integration hub=8.1.0
oracle financial services enterprise financial performance analytics=8.0.6
oracle financial services enterprise financial performance analytics=8.0.7
Oracle Financial Services Funds Transfer Pricing>=8.0.4<=8.0.7
Oracle Financial Services Funds Transfer Pricing=8.1.0
Oracle Financial Services Hedge Management and IFRS Valuations>=8.0.4<=8.0.7
Oracle Financial Services Hedge Management and IFRS Valuations=8.1.0
oracle financial services institutional performance analytics>=8.0.4<=8.0.7
oracle financial services institutional performance analytics=8.1.0
Oracle Financial Services Liquidity Risk Management=8.0.0.1.0
Oracle Financial Services Liquidity Risk Management=8.0.2
Oracle Financial Services Liquidity Risk Management=8.0.4.0.0
Oracle Financial Services Liquidity Risk Management=8.0.5.0.0
Oracle Financial Services Liquidity Risk Management=8.0.6
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.7
Oracle Financial Services Liquidity Risk Measurement and Management=8.0.8
Oracle Financial Services Liquidity Risk Measurement and Management=8.1.0
Oracle Financial Services Loan Loss Forecasting and Provisioning>=8.0.2<=8.0.7
Oracle Financial Services Loan Loss Forecasting and Provisioning=8.1.0
Oracle Financial Services Market Risk Measurement and Management=8.0.5
Oracle Financial Services Market Risk Measurement and Management=8.0.6
Oracle Financial Services Market Risk Measurement and Management=8.0.8
Oracle Financial Services Price Creation and Discovery>=8.0.4<=8.0.7
Oracle Financial Services Profitability Management>=8.0.4<=8.0.7
Oracle Financial Services Profitability Management=8.1.0
oracle financial services regulatory reporting for de nederlandsche bank=8.0.4
Oracle Financial Services Regulatory Reporting with AgileREPORTER=8.0.6
Oracle Financial Services Regulatory Reporting with AgileREPORTER=8.0.7
oracle financial services regulatory reporting for us federal reserve>=8.0.4<=8.0.7
oracle financial services retail customer analytics>=8.0.4<=8.0.6
oracle financial services retail performance analytics=8.0.6
oracle financial services retail performance analytics=8.0.7
Oracle Financial Services Revenue Management and Billing=2.4.0.0
Oracle Financial Services Revenue Management and Billing=2.4.0.1
Oracle Spatial and Graph MapViewer=12.2.1.3.0
Oracle Healthcare Foundation=7.1.1
Oracle Healthcare Foundation=7.2.0
Oracle Healthcare Foundation=7.2.2
Oracle Healthcare Foundation=7.3.0
Oracle Healthcare Translational Research=3.1.0
Oracle Healthcare Translational Research=3.2.1
Oracle Healthcare Translational Research=3.3.1
Oracle Healthcare Translational Research=3.3.2
Oracle Healthcare Translational Research=3.4.0
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Hospitality Materials Control=18.1
Oracle Hospitality Simphony>=19.1.0<=19.1.2
Oracle Hospitality Simphony=18.1
Oracle Hospitality Simphony=18.2
Oracle Identity Management Suite=12.2.1.3.0
Oracle Insurance Accounting Analyzer=8.0.9
oracle insurance allocation manager for enterprise profitability=8.0.8
oracle insurance allocation manager for enterprise profitability=8.1.0
oracle insurance data foundation>=8.0.4<=8.0.7
oracle insurance ifrs 17 analyzer=8.0.6
oracle insurance ifrs 17 analyzer=8.0.7
Oracle Insurance Insbridge Rating and Underwriting>=5.0.0.0<=5.6.0.0
Oracle Insurance Insbridge Rating and Underwriting=5.6.1.0
oracle insurance performance insight=8.0.7
Oracle JD Edwards EnterpriseOne Tools=9.2
Oracle JDeveloper=11.1.1.9.0
Oracle JDeveloper=12.2.1.3.0
Oracle JDeveloper=12.2.1.4.0
oracle jdeveloper and adf=11.1.1.9.0
oracle jdeveloper and adf=12.1.3.0.0
oracle jdeveloper and adf=12.2.1.3.0
Oracle Knowledge>=8.6.0<=8.6.3
Oracle PeopleSoft Enterprise PeopleTools=8.55
Oracle PeopleSoft Enterprise PeopleTools=8.56
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle PeopleSoft Enterprise PeopleTools=8.58
oracle policy automation>=12.2.0<=12.2.15
oracle policy automation=10.4.7
oracle policy automation=12.1.0
oracle policy automation=12.1.1
oracle policy automation connector for siebel=10.4.6
oracle policy automation for mobile devices>=12.2.0<=12.2.15
oracle primavera gateway>=16.2.0<=16.2.11
oracle primavera gateway>=17.12.0<=17.12.7
oracle primavera gateway>=18.8.0<=18.8.9
oracle primavera gateway>=19.12.0<=19.12.4
oracle primavera gateway=15.2.18
Oracle Primavera Unifier>=17.7<=17.12
Oracle Primavera Unifier=16.1
Oracle Primavera Unifier=16.2
Oracle Primavera Unifier=18.8
Oracle Real-Time Scheduler>=2.3.0.1<=2.3.0.3
Oracle REST Data Services=11.2.0.4
Oracle REST Data Services=12.1.0.2
Oracle REST Data Services=12.2.0.1
Oracle REST Data Services=18c
Oracle REST Data Services=19c
Oracle Retail Back Office=14.0
Oracle Retail Back Office=14.1
Oracle Retail Central Office=14.0
Oracle Retail Central Office=14.1
Oracle Retail Customer Insights=15.0
Oracle Retail Customer Insights=16.0
Oracle Customer Management and Segmentation Foundation=18.0
Oracle Customer Management and Segmentation Foundation=19.0
Oracle Retail Point-of-Sale=14.0
Oracle Retail Point-of-Sale=14.1
Oracle Retail Returns Management=14.0
Oracle Retail Returns Management=14.1
Oracle Service Bus=11.1.1.9.0
Oracle Service Bus=12.1.3.0.0
Oracle Service Bus=12.2.1.3.0
oracle siebel mobile applications<=19.8
Oracle Siebel User Interface Framework=20.8
Oracle Storagetek Tape Analytics=2.3.0
oracle system utilities=19.1
Oracle Tape Library ACSLS=8.5
Oracle Tape Library ACSLS=8.5.1
Oracle Transportation Management=1.4.3
oracle utilities mobile workforce management>=2.3.0.1<=2.3.0.3
Oracle WebCenter Sites=12.2.1.3.0
Oracle WebLogic Server=10.3.6.0.0
Oracle WebLogic Server=12.1.3.0.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Joomla>=3.0.0<=3.9.4
Juniper JUNOS=21.2

Remedy

http://seclists.org/fulldisclosure/2019/May/11

Remedy

http://seclists.org/fulldisclosure/2019/May/13

Remedy

http://www.openwall.com/lists/oss-security/2019/06/03/2

Remedy

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Remedy

https://github.com/jquery/jquery/pull/4333

Remedy

https://seclists.org/bugtraq/2019/May/18

Remedy

https://snyk.io/vuln/SNYK-JS-JQUERY-174006

Remedy

https://www.drupal.org/sa-core-2019-006

Remedy

https://www.oracle.com//security-alerts/cpujul2021.html

Remedy

https://www.oracle.com/security-alerts/cpuApr2021.html

Remedy

https://www.oracle.com/security-alerts/cpuapr2020.html

Remedy

https://www.oracle.com/security-alerts/cpujan2021.html

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Remedy

https://www.oracle.com/security-alerts/cpujul2020.html

Remedy

https://www.oracle.com/security-alerts/cpuoct2020.html

Remedy

https://www.oracle.com/security-alerts/cpuoct2021.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Remedy

https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/

Remedy

https://www.oracle.com/security-alerts/cpujan2020.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2019-11358?

    CVE-2019-11358 has a severity rating of Medium according to the Common Vulnerability Scoring System (CVSS).

  • How do I fix CVE-2019-11358?

    To remediate CVE-2019-11358, you should upgrade jQuery to version 3.4.0 or later.

  • Which software is affected by CVE-2019-11358?

    CVE-2019-11358 affects multiple software packages including jQuery versions prior to 3.4.0 and various tools that depend on those versions.

  • What type of vulnerability is CVE-2019-11358?

    CVE-2019-11358 is classified as a Prototype Pollution vulnerability.

  • What are the potential consequences of CVE-2019-11358?

    Exploitation of CVE-2019-11358 could result in denial of service or unauthorized modifications to objects in the application.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203