GHSA-3hw5-q855-g6cw

Source

https://github.com/advisories/GHSA-3hw5-q855-g6cw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-3hw5-q855-g6cw/GHSA-3hw5-q855-g6cw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3hw5-q855-g6cw

Aliases

CVE-2020-5259

Related

CVE-2020-5259

Published

2020-03-10T18:03:32Z

Modified

2023-11-08T04:03:53.336216Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Prototype Pollution in Dojox

Details

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution.

Affected Area:

//https://github.com/dojo/dojox/blob/master/jq.js#L442
        var tobj = {};
        for(var x in props){
            // the "tobj" condition avoid copying properties in "props"
            // inherited from Object.prototype.  For example, if obj has a custom
            // toString() method, don't overwrite it with the toString() method
            // that props inherited from Object.prototype
            if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
                if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
                    if(dojo.isArray(props[x])){
                        obj[x] = props[x];
                    }else{
                        obj[x] = jqMix(obj[x], props[x]);
                    }
                }else{
                    obj[x] = props[x];
                }

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-03-10T18:02:07Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References