7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.3%
Drupal Security Team reports:
CVE-2019-10909: Escape validation messages in the PHP templating engine.
CVE-2019-10910: Check service IDs are valid.
CVE-2019-10911: Add a separator in the remember me cookie hash.
jQuery 3.4.0 includes a fix for some unintended behavior when using
jQuery.extend(true, {}, …). If an unsanitized source object contained
an enumerable proto property, it could extend the native Object.prototype.
This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous
jQuery versions.
It’s possible that this vulnerability is exploitable with some Drupal modules.
As a precaution, this Drupal security release backports the fix to jQuery.extend(),
without making any other changes to the jQuery version that is included in
Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site
via some other module such as jQuery Update.
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.3%