Description
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Remediation
References
http://bugs.dojotoolkit.org/ticket/10773
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
http://secunia.com/advisories/38964
http://secunia.com/advisories/40007
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
http://www.vupen.com/english/advisories/2010/1281
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
Related Vulnerabilities
CVE-2023-40339 Vulnerability in maven package org.jenkins-ci.plugins:config-file-provider
CVE-2022-41935 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui
CVE-2023-46115 Vulnerability in npm package @tauri-apps/cli
CVE-2021-23337 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2020-23262 Vulnerability in maven package net.mingsoft:ms-mcms