CVE-2019-10785

NameCVE-2019-10785
Descriptiondojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2127-1
NVD severitymedium
Debian Bugs952771

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)jessie1.10.2+dfsg-1vulnerable
jessie (security)1.10.2+dfsg-1+deb8u3fixed
buster1.14.2+dfsg1-1vulnerable
bullseye, sid1.15.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosource(unstable)1.15.2+dfsg1-1952771
dojosourcejessie1.10.2+dfsg-1+deb8u2DLA-2127-1

Notes

[buster] - dojo <no-dsa> (Minor issue)
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://snyk.io/vuln/SNYK-JS-DOJOX-548257
https://github.com/dojo/dojox/pull/315

Search for package or bug name: Reporting problems