CVE-2020-5259

NameCVE-2020-5259
DescriptionIn affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2139-1
NVD severitymedium
Debian Bugs953587

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)buster1.14.2+dfsg1-1+deb10u1vulnerable
bullseye, sid1.15.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosourcejessie1.10.2+dfsg-1+deb8u3DLA-2139-1
dojosource(unstable)1.15.3+dfsg1-1953587

Notes

[buster] - dojo <no-dsa> (Minor issue)
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da

Search for package or bug name: Reporting problems