[20190403] – Core – Object.prototype pollution in JQuery $.extend

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Versions: 3.0.0 through 3.9.4
  • Exploit type: XSS
  • Reported Date: 2019-March-25
  • Fixed Date: 2019-April-09
  • CVE Number: TBA


The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.9.4


Upgrade to version 3.9.5


The JSST at the Joomla! Security Centre.

Reported By: Michał Gołębiowski-Owczarek, David Jardin (JSST)

Leave a Comment