Security advisory: EZSA-2019-005

Bundled jQuery affected by CVE-2019-11358
Publication date:
27/06/2019, 12:00


Affected versions: eZ Platform 2.x
Resolving versions: ezsystems/ezplatform-admin-ui-assets v4.2.0 (eZ Platform v2.5.3)

In eZ Platform 2.x, ezsystems/ezplatform-admin-ui-assets before v4.2.0 includes jQuery version 3.3.1. This version of jQuery is affected by the security vulnerability

This is fixed in jQuery version 3.4. We recommend that you upgrade your ezsystems/ezplatform-admin-ui-assets to v4.2.0 using Composer. This release includes jQuery 3.4.1.

This issue was reported to us by Carlos Revillo from The Cocktail:

We are very grateful for his research, and responsible disclosure to us.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories