CVE-2020-5259
published 2020-03-10CVE-2020-5259: In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject…
PriorityP346high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EPSS
1.98%
78.0th percentile
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dojo | < dojo 1.15.3+dfsg1-1 (bookworm) | dojo 1.15.3+dfsg1-1 (bookworm) |
| dojo | dojox | < 1.11.10 | 1.11.10 |
| dojo | dojox | — | — |
| dojo | dojox | — | — |
| dojo | dojox | — | — |
| dojo | dojox | — | — |
| dojo | dojox | — | — |
| linuxfoundation | dojo | >= 0 < 1.15.3+dfsg1-1 | 1.15.3+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.3+dfsg1-1 | 1.15.3+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.3+dfsg1-1 | 1.15.3+dfsg1-1 |
| linuxfoundation | dojo | >= 0 < 1.15.3+dfsg1-1 | 1.15.3+dfsg1-1 |
| linuxfoundation | dojox | < 1.11.10 | 1.11.10 |
| linuxfoundation | dojox | >= 0 < 1.11.10 | 1.11.10 |
| linuxfoundation | dojox | >= 1.12.0 < 1.12.8 | 1.12.8 |
| linuxfoundation | dojox | >= 1.12.0 < 1.12.8 | 1.12.8 |
| linuxfoundation | dojox | >= 1.13.0 < 1.13.7 | 1.13.7 |
| linuxfoundation | dojox | >= 1.13.0 < 1.13.7 | 1.13.7 |
| linuxfoundation | dojox | >= 1.14.0 < 1.14.6 | 1.14.6 |
| linuxfoundation | dojox | >= 1.14.0 < 1.14.6 | 1.14.6 |
| linuxfoundation | dojox | >= 1.15.0 < 1.15.3 | 1.15.3 |
| linuxfoundation | dojox | >= 1.15.0 < 1.15.3 | 1.15.3 |
| linuxfoundation | dojox | >= 1.16.0 < 1.16.2 | 1.16.2 |
| linuxfoundation | dojox | >= 1.16.0 < 1.16.2 | 1.16.2 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv8.6HIGH
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2020-5259: dojo - In affected versions of dojox (NPM package), the jqMix method is vulnerable to P...
vendor_debian·2020·CVSS 7.7
CVE-2020-5259 [HIGH] CVE-2020-5259: dojo - In affected versions of dojox (NPM package), the jqMix method is vulnerable to P...
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
Scope: local
bookworm: resolved (fixed in 1.15.3+dfsg1-1)
bullseye: resolved (fixed in 1.15.3+dfsg1-1)
forky: resolved (fixed in 1.15.3+dfsg1-1)
sid: resolved (fixed in 1.15.3+dfsg1-1)
trixie: resolved (fixed in 1.15.3+dfsg1-1)
OSV
Prototype Pollution in Dojox
osv·2020-03-10
CVE-2020-5259 [LOW] Prototype Pollution in Dojox
Prototype Pollution in Dojox
The Dojox jQuery wrapper `jqMix` mixin method is vulnerable to Prototype Pollution.
Affected Area:
```
//https://github.com/dojo/dojox/blob/master/jq.js#L442
var tobj = {};
for(var x in props){
// the "tobj" condition avoid copying properties in "props"
// inherited from Object.prototype. For example, if obj has a custom
// toString() method, don't overwrite it with the toString() method
// that props inherited from Object.prototype
if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
if(dojo.isArray(props[x])){
obj[x] = props[x];
}else{
obj[x] = jqMix(obj[x], props[x]);
}
}else{
obj[x] = props[x];
}
```
OSV
CVE-2020-5259: In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution
osv·2020-03-10·CVSS 8.6
CVE-2020-5259 [HIGH] CVE-2020-5259: In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
GHSA
Prototype Pollution in Dojox
ghsa·2020-03-10
CVE-2020-5259 [LOW] CWE-94 Prototype Pollution in Dojox
Prototype Pollution in Dojox
The Dojox jQuery wrapper `jqMix` mixin method is vulnerable to Prototype Pollution.
Affected Area:
```
//https://github.com/dojo/dojox/blob/master/jq.js#L442
var tobj = {};
for(var x in props){
// the "tobj" condition avoid copying properties in "props"
// inherited from Object.prototype. For example, if obj has a custom
// toString() method, don't overwrite it with the toString() method
// that props inherited from Object.prototype
if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
if(dojo.isArray(props[x])){
obj[x] = props[x];
}else{
obj[x] = jqMix(obj[x], props[x]);
}
}else{
obj[x] = props[x];
}
```
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9dahttps://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cwhttps://lists.debian.org/debian-lts-announce/2020/03/msg00012.htmlhttps://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9dahttps://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cwhttps://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
2020-03-10
Published