Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNodzUtcTg1NS1nNmN3

Prototype Pollution in Dojox

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution.

Affected Area:

//https://github.com/dojo/dojox/blob/master/jq.js#L442
		var tobj = {};
		for(var x in props){
			// the "tobj" condition avoid copying properties in "props"
			// inherited from Object.prototype.  For example, if obj has a custom
			// toString() method, don't overwrite it with the toString() method
			// that props inherited from Object.prototype
			if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
				if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
					if(dojo.isArray(props[x])){
						obj[x] = props[x];
					}else{
						obj[x] = jqMix(obj[x], props[x]);
					}
				}else{
					obj[x] = props[x];
				}

Permalink: https://github.com/advisories/GHSA-3hw5-q855-g6cw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNodzUtcTg1NS1nNmN3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 4 years ago
Updated: over 1 year ago

CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-3hw5-q855-g6cw, CVE-2020-5259
References:

• https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
• https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
• https://nvd.nist.gov/vuln/detail/CVE-2020-5259
• https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
• https://github.com/advisories/GHSA-3hw5-q855-g6cw

Repository: https://github.com/dojo/dojox
Blast Radius: 22.2

Affected Packages