Description
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Remediation
References
http://bugs.dojotoolkit.org/ticket/10773
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
http://secunia.com/advisories/38964
http://secunia.com/advisories/40007
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
http://www.vupen.com/english/advisories/2010/1281
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
Related Vulnerabilities
CVE-2022-31150 Vulnerability in maven package org.webjars.npm:undici
CVE-2020-7673 Vulnerability in npm package node-extend
CVE-2018-3713 Vulnerability in npm package angular-http-server
CVE-2023-46998 Vulnerability in maven package org.webjars.npm:bootbox
CVE-2023-38905 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core