Description
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Remediation
References
http://bugs.dojotoolkit.org/ticket/10773
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
http://secunia.com/advisories/38964
http://secunia.com/advisories/40007
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
http://www.vupen.com/english/advisories/2010/1281
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
Related Vulnerabilities
CVE-2023-36472 Vulnerability in npm package @strapi/utils
CVE-2013-2251 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2021-23432 Vulnerability in npm package mootools
CVE-2020-28496 Vulnerability in npm package three
CVE-2021-44228 Vulnerability in maven package org.apache.logging.log4j:log4j-core