#VU66748 Prototype pollution in dojox - CVE-2020-5259


Vulnerability identifier: #VU66748

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-5259

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dojox
Web applications / Modules and components for CMS

Vendor: JS Foundation

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to insufficient sanitization of user-supplied data within the jqMix method. A remote attacker can inject and execute arbitrary JavaScript script code.


Mitigation
Install update from vendor's website.

Vulnerable software versions

dojox: 1.11.0 - 1.16.1

External links
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM)
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM WebSphere Extreme Scale
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in IBM Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services
Mulitple vulnerabilities in IBM Storage Scale
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM Sterling B2B Integrator
Multiple vulnerabilities in IBM Security Guardium Key Lifecycle Manager
Prototype pollution in dojox