Vulnerability Description
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Dojox | < 1.11.10 |
Related Weaknesses (CWE)
References
- https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9daPatch
- https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cwExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
- https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9daPatch
- https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cwExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
FAQ
What is CVE-2020-5259?
CVE-2020-5259 is a vulnerability with a CVSS score of 7.7 (HIGH). In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language con...
How severe is CVE-2020-5259?
CVE-2020-5259 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5259?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dojox.