CVE-2019-10785: XSS
First published: Thu Feb 13 2020(Updated: )
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Guardium | <=10.5 | |
| IBM Security Guardium | <=10.6 | |
| IBM Security Guardium | <=11.0 | |
| IBM Security Guardium | <=11.1 | |
| IBM Security Guardium | <=11.2 | |
| IBM Security Guardium | <=11.3 | |
| Linuxfoundation Dojox | >=1.11.0<1.11.9 | |
| Linuxfoundation Dojox | >=1.12.0<1.12.7 | |
| Linuxfoundation Dojox | >=1.13.0<1.13.6 | |
| Linuxfoundation Dojox | >=1.14.0<1.14.5 | |
| Linuxfoundation Dojox | >=1.15.0<1.15.2 | |
| Linuxfoundation Dojox | >=1.16.0<1.16.1 | |
| Debian Debian Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176460
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
- https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
- https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
- https://snyk.io/vuln/SNYK-JS-DOJOX-548257,
- https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
Frequently Asked Questions
What is CVE-2019-10785?
CVE-2019-10785 is a vulnerability in dojox, which allows for cross-site scripting (XSS) attacks.
How does CVE-2019-10785 impact IBM Security Guardium?
IBM Security Guardium versions 10.5 to 11.3 are affected by CVE-2019-10785, potentially allowing for XSS attacks.
What is the severity of CVE-2019-10785?
CVE-2019-10785 has a severity rating of 6.1, indicating a medium impact.
How can I fix CVE-2019-10785 in dojox?
To fix CVE-2019-10785 in dojox, update to version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7, or 1.11.9, depending on your current version.
Where can I find more information about CVE-2019-10785?
You can find more information about CVE-2019-10785 at the following references: [IBM X-Force](https://exchange.xforce.ibmcloud.com/vulnerabilities/176460), [IBM Support](https://www.ibm.com/support/pages/node/6455281), [GitHub Advisory](https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr).
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/10.5
- version/ibm security guardium/10.6
- version/ibm security guardium/11.0
- version/ibm security guardium/11.1
- version/ibm security guardium/11.2
- version/ibm security guardium/11.3
- vendor/linuxfoundation
- canonical/linuxfoundation dojox
- version/linuxfoundation dojox/1.11.0
- version/linuxfoundation dojox/1.12.0
- version/linuxfoundation dojox/1.13.0
- version/linuxfoundation dojox/1.14.0
- version/linuxfoundation dojox/1.15.0
- version/linuxfoundation dojox/1.16.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0