FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- Drupal core - Moderately critical

Affected packages
drupal7 < 7.66
drupal8 < 8.6.15


VuXML ID 2bad8b5d-66fb-11e9-9815-78acc0a3b880
Discovery 2019-04-17
Entry 2019-04-25

Drupal Security Team reports:

CVE-2019-10909: Escape validation messages in the PHP templating engine.

CVE-2019-10910: Check service IDs are valid.

CVE-2019-10911: Add a separator in the remember me cookie hash.

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.