CVE-2019-10785

NameCVE-2019-10785
Descriptiondojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2127-1
NVD severitymedium
Debian Bugs952771

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)buster1.14.2+dfsg1-1+deb10u1vulnerable
bullseye, sid1.15.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosource(unstable)1.15.2+dfsg1-1952771
dojosourcebuster1.15.0+dfsg1-1+deb10u1
dojosourcejessie1.10.2+dfsg-1+deb8u2DLA-2127-1

Notes

https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://snyk.io/vuln/SNYK-JS-DOJOX-548257
https://github.com/dojo/dojox/pull/315

Search for package or bug name: Reporting problems