Description

In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.

Remediation

References

https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301

https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6

https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html

https://security.netapp.com/advisory/ntap-20201023-0003/

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2022-24615 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-bukkit

CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-macro

CVE-2022-31191 Vulnerability in maven package org.dspace:dspace-jspui

CVE-2020-28472 Vulnerability in npm package @aws-sdk/shared-ini-file-loader

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Patch Third Party Advisory Mailing List NVD-CWE-noinfo