ASA-2019-00311 – Django: jQuery Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because ofObject.prototype pollution. If an unsanitized source object contained an enumerable __proto__property, it could extend the native Object.prototype. The bundled version of jQuery used by the Django admin has been patched to allow for the select2library's use of jQuery.extend().

ASA-2019-00224 – jQuery: Object Prototype Pollution Vulnerability

It was discovered an object prototype pollution vulnerability (CVE-2019-11358) in the jQuery, a JavaScript library. JavaScript object is like a variable that can be used to store multiple values based on a predefined structure. A prototype is used to define an object’s default structure and default values; it is essential to specify an expected structure particularly when no value is set. This vulnerability enables an attacker to modify a web application's JavaScript object prototype. However, each exploitation must be fine-tuned individually for the specific target, hence requiring the attacker to have in-depth knowledge on how each web application works.