CVE-2018-1000665
published 2018-09-06CVE-2018-1000665: Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.29%
66.6th percentile
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dojo | < dojo 1.14.1+dfsg1-1 (bookworm) | dojo 1.14.1+dfsg1-1 (bookworm) |
| dojotoolkit | dojo | <= 1.13.0 | — |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
vendor_redhat·2018-09-06·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CWE-79 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
Package: dojo (Red Hat Satellite 5) - Not affected
Debian
CVE-2018-1000665: dojo - Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross...
vendor_debian·2018·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665: dojo - Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross...
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
Scope: local
bookworm: resolved (fixed in 1.14.1+dfsg1-1)
bullseye: resolved (fixed in 1.14.1+dfsg1-1)
forky: resolved (fixed in 1.14.1+dfsg1-1)
sid: resolved (fixed in 1.14.1+dfsg1
GHSA
Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
ghsa·2022-05-14
CVE-2018-1000665 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in `unit.html` and `testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html` and `testsDOH/_base/i18nExhaustive.js` in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
OSV
Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
osv·2022-05-14
CVE-2018-1000665 [MEDIUM] Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
Improper Neutralization of Input During Web Page Generation in Dojo Dojo Objective Harness
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in `unit.html` and `testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html` and `testsDOH/_base/i18nExhaustive.js` in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
OSV
CVE-2018-1000665: Dojo Dojo Objective Harness (DOH) version prior to version 1
osv·2018-09-06·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665: Dojo Dojo Objective Harness (DOH) version prior to version 1
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
bugzilla·2018-09-06·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
Upstream patch:
https://github.com/dojo/dojo/pull/307
References:
https://dojotoo
Bugzilla
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [fedora-all]
bugzilla·2018-09-06·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [fedora-all]
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [epel-all]
bugzilla·2018-09-06·CVSS 6.1
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [epel-all]
CVE-2018-1000665 dojo: Cross-site scripting in i18n-test/unit.html and _base/i18nExhaustive.js [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
2018-09-06
Published