#VU60834 Code Injection in dojo


Published: 2022-02-23

Vulnerability identifier: #VU60834

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23450

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dojo
Web applications / JS libraries

Vendor: dojo.io

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code via the setObject function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dojo: 1.16.0 - 1.16.4, 1.15.0 - 1.15.5, 1.14.0 - 1.14.8, 1.13.0 - 1.13.9, 1.12.0 - 1.12.10, 1.11.0 - 1.11.12

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036
http://snyk.io/vuln/SNYK-JS-DOJO-1535223
http://github.com/dojo/dojo/commit/b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Code injection in IBM Administration Runtime Expert for i
Multiple vulnerabilities in IBM UrbanCode Build
Multiple vulnerabilities in IBM QRadar SIEM
Code injection in IBM Security Verify Governance
Multiple vulnerabilities in IBM Copy Services Manager
Code Injection in IBM Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services
Multiple vulnerabilities in Axway API Gateway and API Manager
Code Injection in IBM Tivoli Business Service Manager
Multiple vulnerabilities in IBM Sterling B2B Integrator
Code Injection in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data