Description
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Remediation
References
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
http://secunia.com/advisories/40007
http://www.vupen.com/english/advisories/2010/1281
http://bugs.dojotoolkit.org/ticket/10773
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://secunia.com/advisories/38964
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
Related Vulnerabilities
CVE-2018-11784 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2022-24717 Vulnerability in npm package @finastra/ssr-pages
CVE-2021-32850 Vulnerability in npm package @claviska/jquery-minicolors
CVE-2022-31147 Vulnerability in maven package org.webjars.bower:jquery-validation
CVE-2022-25858 Vulnerability in maven package org.webjars.npm:terser