[Pkg-javascript-devel] Bug#952771: dojo: CVE-2019-10785
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 28 21:49:37 GMT 2020
Source: dojo
Version: 1.15.0+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 1.14.2+dfsg1-1
Hi,
The following vulnerability was published for dojo.
CVE-2019-10785[0]:
| dojox is vulnerable to Cross-site Scripting in all versions before
| version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due
| to dojox.xmpp.util.xmlEncode only encoding the first occurrence of
| each character, not all of them.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
[1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
[2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list