EZSA-2019-005: Bundled jQuery affected by CVE-2019-11358

Publication date:
27/06/2019 12:00


Affected versions: eZ Platform 2.x
Resolving versions: ezsystems/ezplatform-admin-ui-assets v4.2.0 (eZ Platform v2.5.3)

In eZ Platform 2.x, ezsystems/ezplatform-admin-ui-assets before v4.2.0 includes jQuery version 3.3.1. This version of jQuery is affected by the security vulnerability https://www.cvedetails.com/cve/CVE-2019-11358/
This is fixed in jQuery version 3.4. We recommend that you upgrade your ezsystems/ezplatform-admin-ui-assets to v4.2.0 using Composer. This release includes jQuery 3.4.1.

This issue was reported to us by Carlos Revillo from The Cocktail:

We are very grateful for his research, and responsible disclosure to us.

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories