CVE-2020-5259 – dojox

Package

Manager: npm
Name: dojox
Vulnerable Version: >=0 <1.11.10 || >=1.12.0 <1.12.8 || >=1.13.0 <1.13.7 || >=1.14.0 <1.14.6 || >=1.15.0 <1.15.3 || >=1.16.0 <1.16.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00587 pctl0.68153

Details

Prototype Pollution in Dojox The Dojox jQuery wrapper `jqMix` mixin method is vulnerable to Prototype Pollution. Affected Area: ``` //https://github.com/dojo/dojox/blob/master/jq.js#L442 var tobj = {}; for(var x in props){ // the "tobj" condition avoid copying properties in "props" // inherited from Object.prototype. For example, if obj has a custom // toString() method, don't overwrite it with the toString() method // that props inherited from Object.prototype if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){ if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){ if(dojo.isArray(props[x])){ obj[x] = props[x]; }else{ obj[x] = jqMix(obj[x], props[x]); } }else{ obj[x] = props[x]; } ```

Metadata

Created: 2020-03-10T18:03:32Z
Modified: 2021-02-18T19:45:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-3hw5-q855-g6cw/GHSA-3hw5-q855-g6cw.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3hw5-q855-g6cw
Finding: F416
Auto approve: 1