CVE-2019-10785

NameCVE-2019-10785
Descriptiondojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2127-1
Debian Bugs952771

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)jessie, jessie (lts)1.10.2+dfsg-1+deb8u4fixed
buster (security), buster, buster (lts)1.14.2+dfsg1-1+deb10u3fixed
bullseye1.15.4+dfsg1-1+deb11u1fixed
sid, trixie, bookworm1.17.2+dfsg1-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosourcewheezy(unfixed)end-of-life
dojosourcejessie1.10.2+dfsg-1+deb8u2DLA-2127-1
dojosourcebuster1.14.2+dfsg1-1+deb10u1
dojosource(unstable)1.15.2+dfsg1-1952771

Notes

https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://snyk.io/vuln/SNYK-JS-DOJOX-548257
https://github.com/dojo/dojox/pull/315

Search for package or bug name: Reporting problems