4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
58.4%
What kind of vulnerability is it? Who is impacted?
Potential XSS vulnerability for users of dojox/xmpp
and dojox/dtl
.
Has the problem been patched? What versions should users upgrade to?
Yes, patches are available for the 1.11 through 1.16 versions. Users should upgrade to one of these versions of Dojo:
Users of Dojo 1.10.x and earlier should review this change and determine if it impacts them, and backport the change as appropriate.
Is there a way for users to fix or remediate the vulnerability without upgrading?
The change applied in https://github.com/dojo/dojox/pull/315 could get added separately as a patch.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-pg97-ww7h-5mjr
github.com/dojo/dojox/commit/abd033a787c718abc1a390f480ac3ea61288e5ee
github.com/dojo/dojox/pull/315
github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
lists.debian.org/debian-lts-announce/2020/02/msg00033.html
nvd.nist.gov/vuln/detail/CVE-2019-10785
snyk.io/vuln/SNYK-JS-DOJOX-548257
snyk.io/vuln/SNYK-JS-DOJOX-548257,
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
58.4%