Описание
Cross-Site Scripting in dojo
Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting (XSS). The package does not sanitize URL parameters in the _testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser.
Recommendation
Upgrade to version 1.4.2 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2010-2273
- https://github.com/dojo/dojo/pull/307
- https://github.com/dojo/dojo/commit/9117ffd5a3863e44c92fcd58564c0da22be858f4
- https://bugs.dojotoolkit.org/ticket/10773
- https://www.npmjs.com/advisories/972
- http://bugs.dojotoolkit.org/ticket/10773
- http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory
- http://secunia.com/advisories/38964
- http://secunia.com/advisories/40007
- http://www-01.ibm.com/support/docview.wss?uid=swg21431472
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
- http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk
- http://www.vupen.com/english/advisories/2010/1281
Пакеты
dojo
= 1.13.0
1.13.1
dojo
>= 1.12.0, < 1.12.4
1.12.4
dojo
>= 1.11.0, < 1.11.6
1.11.6
dojo
>= 1.10.0, < 1.10.10
1.10.10
Связанные уязвимости
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x befo ...