Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. IBM MQ Light has addressed the applicable CVE.
CVEID: CVE-2015-5654**
DESCRIPTION:** Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
IBM MQ Light V1.0 on all platforms.
The version of IBM MQ Light can be determined by running “mqlight-config --version”. A V1.0 installation will return text containing:`
` Name: IBM MQ Light
Version: 1.0
`
## Remediation/Fixes
Upgrade to the latest version of IBM MQ Light.
The following link describes how to re-use the data from a V1.0 installation using an upgraded installation:_
_[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm_](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>)
## Workarounds and Mitigations
None.
##