Security Advisory EZSA-2019-005: Bundled jQuery affected by CVE-2019-11358

Publication date: 27/06/2019, 12:00

Severity: Medium

Affected versions: eZ Platform 2.x
Resolving versions: ezsystems/ezplatform-admin-ui-assets v4.2.0 (eZ Platform v2.5.3)

In eZ Platform 2.x, ezsystems/ezplatform-admin-ui-assets before v4.2.0 includes jQuery version 3.3.1. This version of jQuery is affected by the security vulnerability https://www.cvedetails.com/cve/CVE-2019-11358/

This is fixed in jQuery version 3.4. We recommend that you upgrade your ezsystems/ezplatform-admin-ui-assets to v4.2.0 using Composer. This release includes jQuery 3.4.1.

This issue was reported to us by Carlos Revillo from The Cocktail:

https://the-cocktail.com/

We are very grateful for his research, and responsible disclosure to us.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: EZSA-2019-005

Bundled jQuery affected by CVE-2019-11358