#VU60834 Code Injection in dojo


Published: 2022-02-23

Vulnerability identifier: #VU60834

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2021-23450

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dojo
Web applications / JS libraries

Vendor: dojo.io

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code via the setObject function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dojo: 1.16.0 - 1.16.4, 1.15.0 - 1.15.5, 1.14.0 - 1.14.8, 1.13.0 - 1.13.9, 1.12.0 - 1.12.10, 1.11.0 - 1.11.12

CPE

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036
http://snyk.io/vuln/SNYK-JS-DOJO-1535223
http://github.com/dojo/dojo/commit/b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Sterling B2B Integrator
Code Injection in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in Oracle WebCenter Portal
Multiple vulnerabilities in Oracle WebCenter Sites
Code Injection in IBM Enterprise Content Management System Monitor
Code Injection in Oracle Enterprise Manager Ops Center
Code Injection in Oracle Communications Convergence
Multiple vulnerabilities in Oracle Communications WebRTC Session Controller
Code Injection in IBM Business Automation Workflow and IBM Business Process Manager (BPM)
Code Injection in IBM Intelligent Operations Center