CVE-2018-15494Improper Encoding or Escaping of Output in Dojo

CWE-116Improper Encoding or Escaping of OutputCWE-79Cross-site Scripting12 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 27.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linuxfoundation DojoDojotoolkit DojoLinuxfoundation Dojox+1 more
Timeline
PublishedAug 18
Latest updateJun 16

Description

In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDdojotoolkit/dojo< 1.14
npmlinuxfoundation/dojox< 1.14.0
Debianlinuxfoundation/dojo< 1.14.1+dfsg1-1+3
Ubuntulinuxfoundation/dojo< 1.15.4+dfsg1-1ubuntu0.1+2

Also affects: Debian Linux 8.0

🔴Vulnerability Details

5
OSV
dojo vulnerabilities2025-06-16
OSV
dojox vulnerable to unescaped string injection2018-10-15
GHSA
dojox vulnerable to unescaped string injection2018-10-15
CVEList
CVE-2018-15494: In Dojo Toolkit before 12018-08-18
OSV
CVE-2018-15494: In Dojo Toolkit before 12018-08-18

📋Vendor Advisories

3
Ubuntu
Dojo vulnerabilities2025-06-16
Red Hat
dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid2018-07-12
Debian
CVE-2018-15494: dojo - In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/D...2018

💬Community

3
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [epel-all]2018-08-23
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid2018-08-23
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [fedora-all]2018-08-23
CVE-2018-15494 — Dojotoolkit Dojo vulnerability | cvebase