CVE-2020-5259 — Code Injection in Dojox

CWE-94 — Code Injection CWE-74 — Injection6 documents5 sources

Severity

8.6HIGHNVD

CNA7.7

EPSS

0.3%

top 48.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dojo Dojox Linuxfoundation Dojo Linuxfoundation Dojox

Timeline

PublishedMar 10

Description

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages4 packages

▶CVEListV5dojo/dojox< 1.11.10+5

▶NVDlinuxfoundation/dojox1.12.0 — 1.12.8+5

▶npmlinuxfoundation/dojox1.12.0 — 1.12.8+5

▶Debianlinuxfoundation/dojo< 1.15.3+dfsg1-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Prototype Pollution in Dojox↗2020-03-10

▶

OSV

Prototype Pollution in Dojox↗2020-03-10

▶

OSV

CVE-2020-5259: In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution↗2020-03-10

▶

GHSA

Prototype Pollution in Dojox↗2020-03-10

▶

📋Vendor Advisories

Debian

CVE-2020-5259: dojo - In affected versions of dojox (NPM package), the jqMix method is vulnerable to P...↗2020

▶