Lucene search

[email protected]CVE-2020-5259

HistoryMar 10, 2020 - 6:15 p.m.

CVE-2020-5259

2020-03-1018:15:12

CWE-94

CWE-74

[email protected]

web.nvd.nist.gov

cve-2020-5259

dojox

npm package

jqmix method

prototype pollution

security

vulnerability

patch

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

8.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.3%

JSON

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Affected configurations

Vulners

NVD

Node

dojowp_affiliate_linksRange<1.11.10

dojowp_affiliate_linksRange1.12.0–1.12.8

dojowp_affiliate_linksRange1.13.0–1.13.7

dojowp_affiliate_linksRange1.14.0–1.14.6

dojowp_affiliate_linksRange1.15.0–1.15.3

dojowp_affiliate_linksRange1.16.0–1.16.2

VendorProductVersionCPE
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*
dojowp_affiliate_links*cpe:2.3:a:dojo:wp_affiliate_links:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::
dojo	wp_affiliate_links	*	cpe:2.3:a:dojo:wp_affiliate_links::::::::

CNA Affected

[
  {
    "product": "dojox",
    "vendor": "dojo",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.11.10"
      },
      {
        "status": "affected",
        "version": ">= 1.12.0, < 1.12.8"
      },
      {
        "status": "affected",
        "version": ">= 1.13.0, < 1.13.7"
      },
      {
        "status": "affected",
        "version": ">= 1.14.0, < 1.14.6"
      },
      {
        "status": "affected",
        "version": ">= 1.15.0, < 1.15.3"
      },
      {
        "status": "affected",
        "version": ">= 1.16.0, < 1.16.2"
      }
    ]
  }
]