CVE-2019-10785 Vulnerability in npm package dojox

Description

dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.

Remediation

References

https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr

https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html

https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C

Related Vulnerabilities

CVE-2021-23414 Vulnerability in npm package video.js

CVE-2015-5688 Vulnerability in npm package geddy

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-common-config

CVE-2024-36401 Vulnerability in maven package org.geoserver.web:gs-web-app

CVE-2023-29923 Vulnerability in maven package tech.powerjob:powerjob

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N