CVE-2020-4051

NameCVE-2020-4051
DescriptionIn Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3289-1, ELA-559-1
Debian Bugs970000

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)jessie, jessie (lts)1.10.2+dfsg-1+deb8u4fixed
buster (security), buster, buster (lts)1.14.2+dfsg1-1+deb10u3fixed
bullseye1.15.4+dfsg1-1+deb11u1fixed
sid, trixie, bookworm1.17.2+dfsg1-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosourcejessie1.10.2+dfsg-1+deb8u4ELA-559-1
dojosourcebuster1.14.2+dfsg1-1+deb10u3DLA-3289-1
dojosource(unstable)1.15.4+dfsg1-1970000

Notes

https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301
[jessie] - dojo <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems