Description
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
Remediation
References
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
Related Vulnerabilities
CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-persistence-elasticsearch-core
CVE-2021-39194 Vulnerability in maven package com.charleskorn.kaml:kaml
CVE-2020-36186 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-7676 Vulnerability in maven package org.webjars.bower:angular