ByteOS Network

dojox

Source -

CNANVD

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2020-5259

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-7.7||HIGH

EPSS-0.59% / 68.14%

7 Day CHG~0.00%

Published-10 Mar, 2020 | 17:50

Updated-04 Aug, 2024 | 08:22

Prototype Pollution in Dojox

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Vendor-Dojo (OpenJS Foundation)The Linux Foundation

Product-dojox dojox

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2019-10785

Assigner-Snyk

View Details

Assigner-Snyk

CVSS Score-6.1||MEDIUM

EPSS-0.26% / 48.72%

7 Day CHG+0.01%

Published-13 Feb, 2020 | 16:02

Updated-04 Aug, 2024 | 22:32

dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.

Vendor-n/a Debian GNU/Linux The Linux Foundation

Product-dojox debian_linux dojox

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')