CVE-2019-10785
published 2020-02-13CVE-2019-10785: dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.85%
76.5th percentile
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | dojo | < dojo 1.15.2+dfsg1-1 (bookworm) | dojo 1.15.2+dfsg1-1 (bookworm) |
| linuxfoundation | dojo | >= 0 < 1.15.2+dfsg1-1 | 1.15.2+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.2+dfsg1-1 | 1.15.2+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.2+dfsg1-1 | 1.15.2+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.2+dfsg1-1 | 1.15.2+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1ubuntu0.1 | 1.15.4+dfsg1-1ubuntu0.1 |
| linuxfoundation | dojo | >= 0 < 1.10.4+dfsg-2ubuntu0.1~esm1 | 1.10.4+dfsg-2ubuntu0.1~esm1 |
| linuxfoundation | dojo | >= 0 < 1.15.0+dfsg1-1ubuntu0.1~esm1 | 1.15.0+dfsg1-1ubuntu0.1~esm1 |
| linuxfoundation | dojox | — | — |
| linuxfoundation | dojox | >= 0 < 1.11.9 | 1.11.9 |
| linuxfoundation | dojox | >= 1.11.0 < 1.11.9 | 1.11.9 |
| linuxfoundation | dojox | >= 1.12.0 < 1.12.7 | 1.12.7 |
| linuxfoundation | dojox | >= 1.12.0 < 1.12.7 | 1.12.7 |
| linuxfoundation | dojox | >= 1.13.0 < 1.13.6 | 1.13.6 |
| linuxfoundation | dojox | >= 1.13.0 < 1.13.6 | 1.13.6 |
| linuxfoundation | dojox | >= 1.14.0 < 1.14.5 | 1.14.5 |
| linuxfoundation | dojox | >= 1.14.0 < 1.14.5 | 1.14.5 |
| linuxfoundation | dojox | >= 1.15.0 < 1.15.2 | 1.15.2 |
| linuxfoundation | dojox | >= 1.15.0 < 1.15.2 | 1.15.2 |
| linuxfoundation | dojox | >= 1.16.0 < 1.16.1 | 1.16.1 |
| linuxfoundation | dojox | >= 1.16.0 < 1.16.1 | 1.16.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
dojo vulnerabilities
osv·2025-06-16·CVSS 9.8
CVE-2018-15494 [CRITICAL] dojo vulnerabilities
dojo vulnerabilities
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
GHSA
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
ghsa·2020-02-13
CVE-2019-10785 [MEDIUM] CWE-79 XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
### Impact
_What kind of vulnerability is it? Who is impacted?_
Potential XSS vulnerability for users of `dojox/xmpp` and `dojox/dtl`.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Yes, patches are available for the 1.11 through 1.16 versions. Users should upgrade to one of these versions of Dojo:
* 1.16.1
* 1.15.2
* 1.14.5
* 1.13.6
* 1.12.7
* 1.11.9
Users of Dojo 1.10.x and earlier should review this change and determine if it impacts them, and backport the change as appropriate.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
The change applied in https://github.com/dojo/dojox/pull/315 could get added separately as a patch.
OSV
CVE-2019-10785: dojox is vulnerable to Cross-site Scripting in all versions before version 1
osv·2020-02-13·CVSS 6.1
CVE-2019-10785 [MEDIUM] CVE-2019-10785: dojox is vulnerable to Cross-site Scripting in all versions before version 1
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
OSV
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
osv·2020-02-13
CVE-2019-10785 [MEDIUM] XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
### Impact
_What kind of vulnerability is it? Who is impacted?_
Potential XSS vulnerability for users of `dojox/xmpp` and `dojox/dtl`.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Yes, patches are available for the 1.11 through 1.16 versions. Users should upgrade to one of these versions of Dojo:
* 1.16.1
* 1.15.2
* 1.14.5
* 1.13.6
* 1.12.7
* 1.11.9
Users of Dojo 1.10.x and earlier should review this change and determine if it impacts them, and backport the change as appropriate.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
The change applied in https://github.com/dojo/dojox/pull/315 could get added separately as a patch.
Ubuntu
Dojo vulnerabilities
vendor_ubuntu·2025-06-16·CVSS 9.8
CVE-2020-4051 [CRITICAL] Dojo vulnerabilities
Title: Dojo vulnerabilities
Summary: Several security issues were fixed in Dojo.
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
Instructions: In general, a standard system update will make
Red Hat
dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
vendor_redhat·2020-02-28·CVSS 6.1
CVE-2019-10785 [MEDIUM] CWE-79 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
A flaw was found in dojox. Cross-site scripting is possible as only the first occurrence of each character is encoded. The highest threat from this vulnerability is to data confidentiality and integrity.
Statement: This flaw affects the XML encoding used on XMPP implementation at Dojo, although the FreeIPA versions shipped with Red Hat Enterprise Linux 6, 7 and 8 it doesn't make use of this specific API and are not affected by this issue.
Package: ipa (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2019-10785: dojo - dojox is vulnerable to Cross-site Scripting in all versions before version 1.16....
vendor_debian·2019·CVSS 6.1
CVE-2019-10785 [MEDIUM] CVE-2019-10785: dojo - dojox is vulnerable to Cross-site Scripting in all versions before version 1.16....
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
Scope: local
bookworm: resolved (fixed in 1.15.2+dfsg1-1)
bullseye: resolved (fixed in 1.15.2+dfsg1-1)
forky: resolved (fixed in 1.15.2+dfsg1-1)
sid: resolved (fixed in 1.15.2+dfsg1-1)
trixie: resolved (fixed in 1.15.2+dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
bugzilla·2020-05-04·CVSS 6.1
CVE-2019-10785 [MEDIUM] CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
References:
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Discussion:
Created dojo tracking bugs for this issue:
Affects: epel-all [bug 1831011]
---
Statement:
This flaw affects the XML encoding used on XMPP implementation at Dojo, although the FreeIPA versions shipped with Red Hat Enterprise Linux 6, 7 and 8 it doesn't make use of
Bugzilla
CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode [epel-all]
bugzilla·2020-05-04·CVSS 6.1
CVE-2019-10785 [MEDIUM] CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode [epel-all]
CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjrhttps://lists.debian.org/debian-lts-announce/2020/02/msg00033.htmlhttps://snyk.io/vuln/SNYK-JS-DOJOX-548257%2Chttps://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjrhttps://lists.debian.org/debian-lts-announce/2020/02/msg00033.htmlhttps://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
2020-02-13
Published