This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()