Description
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
Remediation
References
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
Related Vulnerabilities
CVE-2022-36599 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2022-22963 Vulnerability in maven package org.springframework.cloud:spring-cloud-function-core
CVE-2022-24820 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2021-3765 Vulnerability in npm package validator
CVE-2022-41714 Vulnerability in npm package fastest-json-copy