Linuxfoundation Dojo vulnerabilities
13 known vulnerabilities affecting linuxfoundation/dojo.
Total CVEs
13
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2021-23450P2CRITICALCVSS 9.8fixed in 1.17.0fixed in unspecified2021-12-17
CVE-2021-23450 [CRITICAL] CWE-1321 CVE-2021-23450: All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
ghsanvdosv
CVE-2018-15494P3CRITICALCVSS 9.8≥ 0, < 1.10.4+dfsg-2ubuntu0.1~esm1≥ 0, < 1.15.0+dfsg1-1ubuntu0.1~esm1+1 more2025-06-16
CVE-2018-15494 [CRITICAL] dojo vulnerabilities
dojo vulnerabilities
It was discovered that Dojo did not correctly handle DataGrids. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-15494)
It was discovered that Dojo was vulnerable to prototype pollution. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-23450)
Jonathan Leitschuh discovered that Dojo did not correctly sani
osv
CVE-2020-5259P3HIGHCVSS 8.6≥ 0, < 1.15.3+dfsg1-12020-03-10
CVE-2020-5259 [HIGH] CVE-2020-5259: In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object b
osv
CVE-2020-5258P3HIGHCVSS 7.5fixed in 1.11.10≥ 1.12.0, < 1.12.8+4 more2020-03-10
CVE-2020-5258 [HIGH] CWE-94 CVE-2020-5258: In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the ba
ghsanvdosv
CVE-2010-2273P4MEDIUMCVSS 4.3PoC≥ 1.13.0, < 1.13.1≥ 1.12.0, < 1.12.4+2 more2019-09-11
CVE-2010-2273 [MEDIUM] CWE-79 Cross-Site Scripting in dojo
Cross-Site Scripting in dojo
Versions of `dojo` prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting (XSS). The package does not sanitize URL parameters in the `_testCommon.js` and `runner.html` test files, allowing attackers to execute arbitrary JavaScript in the victim's browser.
## Recommendation
Upgrade to version 1.4.2 or later.
ghsaosv
CVE-2010-2275P4MEDIUMCVSS 4.3PoC≥ 0, < 1.4.2+dfsg-12010-06-15
CVE-2010-2275 [MEDIUM] CVE-2010-2275: Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon
Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js in Dojo Toolkit SDK before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the theme parameter, as demonstrated by an attack against dijit/tests/form/test_Button.html.
osv
CVE-2020-4051P4MEDIUMCVSS 5.4≥ 0, < 1.15.4+dfsg1-12020-06-15
CVE-2020-4051 [MEDIUM] CVE-2020-4051: In Dijit before versions 1
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11
osv
CVE-2019-10785P4MEDIUMCVSS 6.1≥ 0, < 1.15.2+dfsg1-12020-02-13
CVE-2019-10785 [MEDIUM] CVE-2019-10785: dojox is vulnerable to Cross-site Scripting in all versions before version 1
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
osv
CVE-2018-1000665P4MEDIUMCVSS 6.1≥ 0, < 1.14.1+dfsg1-12018-09-06
CVE-2018-1000665 [MEDIUM] CVE-2018-1000665: Dojo Dojo Objective Harness (DOH) version prior to version 1
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via
osv
CVE-2018-6561P4MEDIUMCVSS 6.1≥ 0, < 1.13.0+dfsg1-12018-02-02
CVE-2018-6561 [MEDIUM] CVE-2018-6561: dijit
dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
osv
CVE-2010-2274P4MEDIUMCVSS 4.3≥ 0, < 1.4.2+dfsg-12010-06-15
CVE-2010-2274 [MEDIUM] CVE-2010-2274: Multiple open redirect vulnerabilities in Dojo 1
Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resource
osv
CVE-2015-5654P4MEDIUM≥ 0, < 1.9.12020-09-11
CVE-2015-5654 [MEDIUM] CWE-79 Cross-Site Scripting in dojo
Cross-Site Scripting in dojo
Versions of `dojo` prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser.
## Recommendation
Upgrade to version 1.2.0 or later.
ghsaosv
CVE-2008-6681P4MEDIUM≥ 0, < 1.1.02020-09-01
CVE-2008-6681 [MEDIUM] CWE-79 Cross-Site Scripting in dojo
Cross-Site Scripting in dojo
Affected versions of `dojo` are susceptible to a cross-site scripting vulnerability in the `dijit.Editor` and `textarea` components, which execute their contents as Javascript, even when sanitized.
## Recommendation
Update to version 1.1.0 or later.
ghsaosv