CVE-2020-4051
published 2020-06-15CVE-2020-4051: In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.18%
63.9th percentile
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | dojo | < dojo 1.15.4+dfsg1-1 (bookworm) | dojo 1.15.4+dfsg1-1 (bookworm) |
| dojo | dijit | < 1.11.11 | 1.11.11 |
| dojo | dijit | — | — |
| dojo | dijit | — | — |
| dojo | dijit | — | — |
| dojo | dijit | — | — |
| dojo | dijit | — | — |
| dojo | dijit | >= 0 < 1.11.11 | 1.11.11 |
| dojo | dijit | >= 1.12.0 < 1.12.9 | 1.12.9 |
| dojo | dijit | >= 1.13.0 < 1.13.8 | 1.13.8 |
| dojo | dijit | >= 1.14.0 < 1.14.7 | 1.14.7 |
| dojo | dijit | >= 1.15.0 < 1.15.4 | 1.15.4 |
| dojo | dijit | >= 1.16.0 < 1.16.3 | 1.16.3 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1 | 1.15.4+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1 | 1.15.4+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1 | 1.15.4+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1 | 1.15.4+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.4+dfsg1-1ubuntu0.1 | 1.15.4+dfsg1-1ubuntu0.1 |
| linuxfoundation | dojo | >= 0 < 1.10.4+dfsg-2ubuntu0.1~esm1 | 1.10.4+dfsg-2ubuntu0.1~esm1 |
| linuxfoundation | dojo | >= 0 < 1.15.0+dfsg1-1ubuntu0.1~esm1 | 1.15.0+dfsg1-1ubuntu0.1~esm1 |
| openjsf | dijit | < 1.11.11 | 1.11.11 |
| openjsf | dijit | >= 1.12.0 < 1.12.9 | 1.12.9 |
| openjsf | dijit | >= 1.13.0 < 1.13.8 | 1.13.8 |
| openjsf | dijit | >= 1.14.0 < 1.14.7 | 1.14.7 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian3.7LOW
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
dojo vulnerabilities
osv·2025-06-16·CVSS 9.8
CVE-2018-15494 [CRITICAL] dojo vulnerabilities
dojo vulnerabilities
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
GHSA
Cross-site Scripting in dijit editor's LinkDialog plugin
ghsa·2020-06-15
CVE-2020-4051 [LOW] CWE-79 Cross-site Scripting in dijit editor's LinkDialog plugin
Cross-site Scripting in dijit editor's LinkDialog plugin
### Impact
XSS possible for users of the Dijit Editor's LinkDialog plugin
### Patches
Yes, 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3
### Workarounds
Users may apply the patch made in these releases.
### For more information
If you have any questions or comments about this advisory, open an issue in [dojo/dijit](https://github.com/dojo/dijit/)
OSV
Cross-site Scripting in dijit editor's LinkDialog plugin
osv·2020-06-15
CVE-2020-4051 [LOW] Cross-site Scripting in dijit editor's LinkDialog plugin
Cross-site Scripting in dijit editor's LinkDialog plugin
### Impact
XSS possible for users of the Dijit Editor's LinkDialog plugin
### Patches
Yes, 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3
### Workarounds
Users may apply the patch made in these releases.
### For more information
If you have any questions or comments about this advisory, open an issue in [dojo/dijit](https://github.com/dojo/dijit/)
OSV
CVE-2020-4051: In Dijit before versions 1
osv·2020-06-15·CVSS 5.4
CVE-2020-4051 [MEDIUM] CVE-2020-4051: In Dijit before versions 1
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
Ubuntu
Dojo vulnerabilities
vendor_ubuntu·2025-06-16·CVSS 9.8
CVE-2020-4051 [CRITICAL] Dojo vulnerabilities
Title: Dojo vulnerabilities
Summary: Several security issues were fixed in Dojo.
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2019-10785, CVE-2020-4051)
Instructions: In general, a standard system update will make
Red Hat
dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
vendor_redhat·2020-06-13·CVSS 3.7
CVE-2020-4051 [LOW] CWE-79 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
A flaw was found in dijit. A cross-site scripting vulnerability was identified in the Editor's LinkDialog plugin. The highest threat from this vulnerability is to data confidentiality and integrity.
Statement: ipa as shipped with Red Hat Enterpr
Debian
CVE-2020-4051: dojo - In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less t...
vendor_debian·2020·CVSS 3.7
CVE-2020-4051 [LOW] CVE-2020-4051: dojo - In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less t...
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
Scope: local
bookworm: resolved (fixed in 1.15.4+dfsg1-1)
bullseye: resolved (fixed in 1.15.4+dfsg1-1)
forky: resolved (fixed in 1.15.4+dfsg1-1)
sid: resolved (fixed in 1.15.4+dfsg1-1)
trixie: resolved (fixed in 1.15.4+dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-7]
bugzilla·2020-09-16·CVSS 3.7
CVE-2020-4051 [LOW] CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-7]
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following templ
Bugzilla
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-6]
bugzilla·2020-09-16·CVSS 3.7
CVE-2020-4051 [LOW] CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-6]
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following templ
Bugzilla
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
bugzilla·2020-09-16·CVSS 3.7
CVE-2020-4051 [LOW] CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
CVE-2020-4051 dojo: Cross-site scripting vulnerability in the editor's LinkDialog plugin
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
References:
https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
Upstream patch:
https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301
Discussion:
Created dojo tracking bugs for this iss
https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6https://lists.debian.org/debian-lts-announce/2023/01/msg00030.htmlhttps://security.netapp.com/advisory/ntap-20201023-0003/https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6https://lists.debian.org/debian-lts-announce/2023/01/msg00030.htmlhttps://security.netapp.com/advisory/ntap-20201023-0003/https://www.oracle.com/security-alerts/cpuoct2020.html
2020-06-15
Published