Vulnerability Description
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Dojox | >= 1.11.0, < 1.11.9 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjrExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00033.htmlMailing ListThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
- https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjrExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00033.htmlMailing ListThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
FAQ
What is CVE-2019-10785?
CVE-2019-10785 is a vulnerability with a CVSS score of 6.1 (MEDIUM). dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrenc...
How severe is CVE-2019-10785?
CVE-2019-10785 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10785?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dojox, Debian Debian Linux.