CVE-2020-5259 Prototype Pollution in Dojox

2020-03-1017:50:14

CWE-94

GitHub_M

www.cve.org

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%

JSON

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CNA Affected

[
  {
    "product": "dojox",
    "vendor": "dojo",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.11.10"
      },
      {
        "status": "affected",
        "version": ">= 1.12.0, < 1.12.8"
      },
      {
        "status": "affected",
        "version": ">= 1.13.0, < 1.13.7"
      },
      {
        "status": "affected",
        "version": ">= 1.14.0, < 1.14.6"
      },
      {
        "status": "affected",
        "version": ">= 1.15.0, < 1.15.3"
      },
      {
        "status": "affected",
        "version": ">= 1.16.0, < 1.16.2"
      }
    ]
  }
]