CVE-2020-5259
Prototype Pollution in Dojox
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
En las versiones afectadas de dojox (paquete NPM), el método jqMix es vulnerable a una Contaminación de Prototipo. La Contaminación de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. Un atacante manipula estos atributos para sobrescribir o contaminar un prototipo de objeto de la aplicación JavaScript del objeto base mediante la inyección de otros valores. Esto ha sido parcheado en las versiones 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 y 1.16.2
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-02 CVE Reserved
- 2020-03-10 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da | 2020-03-11 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | < 1.11.10 Search vendor "Linuxfoundation" for product "Dojox" and version " < 1.11.10" | node.js |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | >= 1.12.0 < 1.12.8 Search vendor "Linuxfoundation" for product "Dojox" and version " >= 1.12.0 < 1.12.8" | node.js |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | >= 1.13.0 < 1.13.7 Search vendor "Linuxfoundation" for product "Dojox" and version " >= 1.13.0 < 1.13.7" | node.js |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | >= 1.14.0 < 1.14.6 Search vendor "Linuxfoundation" for product "Dojox" and version " >= 1.14.0 < 1.14.6" | node.js |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | >= 1.15.0 < 1.15.3 Search vendor "Linuxfoundation" for product "Dojox" and version " >= 1.15.0 < 1.15.3" | node.js |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Dojox Search vendor "Linuxfoundation" for product "Dojox" | >= 1.16.0 < 1.16.2 Search vendor "Linuxfoundation" for product "Dojox" and version " >= 1.16.0 < 1.16.2" | node.js |
Affected
| ||||||