CVE-2018-15494
published 2018-08-18CVE-2018-15494: In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
PriorityP346critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.61%
83.5th percentile
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | dojo | < dojo 1.14.1+dfsg1-1 (bookworm) | dojo 1.14.1+dfsg1-1 (bookworm) |
| dojotoolkit | dojo | < 1.14 | 1.14 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.14.1+dfsg1-1 | 1.14.1+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1ubuntu0.1 | 1.15.4+dfsg1-1ubuntu0.1 |
| linuxfoundation | dojo | >= 0 < 1.10.4+dfsg-2ubuntu0.1~esm1 | 1.10.4+dfsg-2ubuntu0.1~esm1 |
| linuxfoundation | dojo | >= 0 < 1.15.0+dfsg1-1ubuntu0.1~esm1 | 1.15.0+dfsg1-1ubuntu0.1~esm1 |
| linuxfoundation | dojox | >= 0 < 1.14.0 | 1.14.0 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dojo vulnerabilities
vendor_ubuntu·2025-06-16·CVSS 9.8
CVE-2020-4051 [CRITICAL] Dojo vulnerabilities
Title: Dojo vulnerabilities
Summary: Several security issues were fixed in Dojo.
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
Instructions: In general, a standard system update will make
Red Hat
dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
vendor_redhat·2018-07-12·CVSS 9.8
CVE-2018-15494 [CRITICAL] CWE-79 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
Statement: Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.
Package: dojo (Red Hat Satellite 5) - Will not fix
Debian
CVE-2018-15494: dojo - In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/D...
vendor_debian·2018·CVSS 9.8
CVE-2018-15494 [CRITICAL] CVE-2018-15494: dojo - In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/D...
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
Scope: local
bookworm: resolved (fixed in 1.14.1+dfsg1-1)
bullseye: resolved (fixed in 1.14.1+dfsg1-1)
forky: resolved (fixed in 1.14.1+dfsg1-1)
sid: resolved (fixed in 1.14.1+dfsg1-1)
trixie: resolved (fixed in 1.14.1+dfsg1-1)
OSV
dojo vulnerabilities
osv·2025-06-16·CVSS 9.8
CVE-2018-15494 [CRITICAL] dojo vulnerabilities
dojo vulnerabilities
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
OSV
dojox vulnerable to unescaped string injection
osv·2018-10-15
CVE-2018-15494 [CRITICAL] dojox vulnerable to unescaped string injection
dojox vulnerable to unescaped string injection
In Dojo Toolkit before 1.14.0, there is unescaped string injection in dojox/Grid/DataGrid.
GHSA
dojox vulnerable to unescaped string injection
ghsa·2018-10-15
CVE-2018-15494 [CRITICAL] CWE-116 dojox vulnerable to unescaped string injection
dojox vulnerable to unescaped string injection
In Dojo Toolkit before 1.14.0, there is unescaped string injection in dojox/Grid/DataGrid.
OSV
CVE-2018-15494: In Dojo Toolkit before 1
osv·2018-08-18·CVSS 9.8
CVE-2018-15494 [CRITICAL] CVE-2018-15494: In Dojo Toolkit before 1
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [epel-all]
bugzilla·2018-08-23·CVSS 9.8
CVE-2018-15494 [CRITICAL] CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [epel-all]
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
bugzilla·2018-08-23·CVSS 9.8
CVE-2018-15494 [CRITICAL] CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
Dojo toolkit before version 1.14 is vulnerable to a cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid.
Upstream Patch:
https://github.com/dojo/dojox/pull/283/commits/e92ee87750af8fbc7e474bb8e8661821aa9f88fa
Discussion:
Created dojo tracking bugs for this issue:
Affects: epel-all [bug 1620364]
Affects: fedora-all [bug 1620363]
---
Statement:
Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/
Bugzilla
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [fedora-all]
bugzilla·2018-08-23·CVSS 9.8
CVE-2018-15494 [CRITICAL] CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [fedora-all]
CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOT
https://dojotoolkit.org/blog/dojo-1-14-releasedhttps://github.com/dojo/dojox/pull/283https://lists.debian.org/debian-lts-announce/2018/09/msg00002.htmlhttps://dojotoolkit.org/blog/dojo-1-14-releasedhttps://github.com/dojo/dojox/pull/283https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html
2018-08-18
Published