Search and Top Navigation
#15353 new bug ()
Opened September 18, 2019 06:03PM UTC
Last modified September 19, 2019 01:19AM UTC
Security bug reported with jquery ui 1.12
| Reported by: | scottdickerson | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | none |
| Component: | ui.core | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
A flagged security exposure by our security scan tool
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
This is due to your packaged version of jquery
Issue 1 of 2
Issue ID: 2df3ae9d-a1bc-e911-ac11-002590ac753d
Severity: Medium
Status New
Classification Definitive
Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact Partial
Confidentiality Impact Partial
Integrity Impact Partial
Date Created Monday, August 12, 2019
Last Updated Monday, August 12, 2019
CVE 2015-9251
File:
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name: CVE-2015-9251
Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Resolution: Upgrade To Version 3.0.0
URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
Issue 1 of 2 - Details
None
Issue 2 of 2
Issue ID: 2ef3ae9d-a1bc-e911-ac11-002590ac753d
Severity: Medium
Status New
Classification Definitive
Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact Partial
Confidentiality Impact Partial
Integrity Impact Partial
Date Created Monday, August 12, 2019
Last Updated Monday, August 12, 2019
CVE 2019-11358
File:
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name: CVE-2019-11358
Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Resolution: Upgrade To Version 3.4.0
URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Attachments (0)
Change History (1)
Changed September 19, 2019 01:19AM UTC by comment:1
| description: | A flagged security exposure by our security scan tool \ \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ This is due to your packaged version of jquery \ \ Issue 1 of 2 \ Issue ID: 2df3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2015-9251 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2015-9251 \ Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. \ Resolution: Upgrade To Version 3.0.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 \ Issue 1 of 2 - Details \ None \ Issue 2 of 2 \ Issue ID: 2ef3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2019-11358 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2019-11358 \ Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \ Resolution: Upgrade To Version 3.4.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ → A flagged security exposure by our security scan tool \ {{{ \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ This is due to your packaged version of jquery \ \ Issue 1 of 2 \ Issue ID: 2df3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2015-9251 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2015-9251 \ Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. \ Resolution: Upgrade To Version 3.0.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 \ Issue 1 of 2 - Details \ None \ Issue 2 of 2 \ Issue ID: 2ef3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2019-11358 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2019-11358 \ Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \ Resolution: Upgrade To Version 3.4.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ }}} |
|---|