#VU60834 Code Injection


Published: 2022-02-23

Vulnerability identifier: #VU60834

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2021-23450

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dojo
Web applications / JS libraries

Vendor: dojo.io

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code via the setObject function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dojo: 1.16.0 - 1.16.4, 1.15.0 - 1.15.5, 1.14.0 - 1.14.8, 1.13.0 - 1.13.9, 1.12.0 - 1.12.10, 1.11.0 - 1.11.12


CPE

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036
http://snyk.io/vuln/SNYK-JS-DOJO-1535223
http://github.com/dojo/dojo/commit/b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability