4 results (0.009 seconds)

CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 5

All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. Todas las versiones del paquete dojo son vulnerables a la Contaminación de Prototipos por medio de la función setObject • https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js%23L172 https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033 https://snyk.io/vuln/SNYK-JS-DOJO-1535223 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.o • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

CVSS: 7.7EPSS: 0%CPEs: 24EXPL: 2

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 En las versiones afectadas de dojo (paquete NPM), el método deepCopy es vulnerable a una Contaminación de Prototipo. La Contaminación de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. • https://github.com/ossf-cve-benchmark/CVE-2020-5258 https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.o • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14. Dojo Dojo Objective Harness (DOH) en versiones anteriores a la 1.14 contiene una vulnerabilidad de Cross-Site Scripting (XSS) en unit.html, testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html y testsDOH/_base/i18nExhaustive.js en el DOH que puede resultar en que la víctima atacada a través de su navegador extienda malware, robe cookies HTTP u omita la confianza de CORS. El ataque parece ser explotable de esta forma: las víctimas suelen ser atraídas a un sitio web bajo el control del atacante; la vulnerabilidad XSS en el dominio objetivo se explota sin que la víctima lo sepa. • https://dojotoolkit.org/blog/dojo-1-14-released https://github.com/dojo/dojo/pull/307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid. En Dojo Toolkit en versiones anteriores a la 1.14, hay una inyección de cadenas no escapadas en dojox/Grid/DataGrid. • https://dojotoolkit.org/blog/dojo-1-14-released https://github.com/dojo/dojox/pull/283 https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html • CWE-116: Improper Encoding or Escaping of Output •