Lucene search

GitHub Advisory DatabaseGHSA-P82G-2XPP-M5R3

HistorySep 11, 2020 - 9:18 p.m.

Cross-Site Scripting in dojo

2020-09-1121:18:05

CWE-79

GitHub Advisory Database

github.com

security vulnerability

cross-site scripting

dojo

upgrade

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

65.3%

JSON

Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim’s browser.

Recommendation

Upgrade to version 1.2.0 or later.

Affected configurations

Vulners

Node

dojodojoRange<1.2.0

VendorProductVersionCPE
dojodojo*cpe:2.3:a:dojo:dojo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dojo	dojo	*	cpe:2.3:a:dojo:dojo::::::::

References

jvn.jp/en/jp/JVN13456571/index.html

jvndb.jvn.jp/jvndb/JVNDB-2015-000153

www-01.ibm.com/support/docview.wss?uid=swg21975256

www.securityfocus.com/bid/77026

www.securitytracker.com/id/1034848

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5654

github.com/advisories/GHSA-p82g-2xpp-m5r3

nvd.nist.gov/vuln/detail/CVE-2015-5654

snyk.io/vuln/SNYK-JS-DOJO-174933

www.npmjs.com/advisories/973

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

65.3%

JSON

Related for GHSA-P82G-2XPP-M5R3