Описание
Cross-site Scripting in dijit editor's LinkDialog plugin
Impact
XSS possible for users of the Dijit Editor's LinkDialog plugin
Patches
Yes, 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3
Workarounds
Users may apply the patch made in these releases.
For more information
If you have any questions or comments about this advisory, open an issue in dojo/dijit
Ссылки
- https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
- https://nvd.nist.gov/vuln/detail/CVE-2020-4051
- https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301
- https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html
- https://security.netapp.com/advisory/ntap-20201023-0003
- https://www.oracle.com/security-alerts/cpuoct2020.html
Пакеты
dijit
< 1.11.11
1.11.11
dijit
>= 1.12.0, < 1.12.9
1.12.9
dijit
>= 1.13.0, < 1.13.8
1.13.8
dijit
>= 1.14.0, < 1.14.7
1.14.7
dijit
>= 1.15.0, < 1.15.4
1.15.4
dijit
>= 1.16.0, < 1.16.3
1.16.3
Связанные уязвимости
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 ...
Уязвимость плагина LinkDialog модульной библиотеки для упрощения разработки основанных на JavaScript или AJAX приложений и сайтов Dojo Toolkit, позволяющая нарушителю оказать воздействие на целостность данных