Description

In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.

Remediation

References

https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301

https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6

https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html

https://security.netapp.com/advisory/ntap-20201023-0003/

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2022-27772 Vulnerability in maven package org.springframework.boot:spring-boot

CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-webflux

CVE-2023-30846 Vulnerability in npm package typed-rest-client

CVE-2022-31139 Vulnerability in maven package io.github.karlatemp:unsafe-accessor

CVE-2021-30246 Vulnerability in maven package org.webjars.bower:jsrsasign

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Patch Third Party Advisory Mailing List NVD-CWE-noinfo