GHSA-536q-8gxx-m782

Suggest an improvement
Source
https://github.com/advisories/GHSA-536q-8gxx-m782
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-536q-8gxx-m782/GHSA-536q-8gxx-m782.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-536q-8gxx-m782
Aliases
Published
2019-09-11T23:02:57Z
Modified
2023-11-08T03:56:56.454372Z
Summary
Cross-Site Scripting in dojo
Details

Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting (XSS). The package does not sanitize URL parameters in the _testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser.

Recommendation

Upgrade to version 1.4.2 or later.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-04T04:12:06Z"
}
References

Affected packages

npm / dojo

Package

Name
dojo
View open source insights on deps.dev
Purl
pkg:npm/dojo

Affected ranges

Type
SEMVER
Events
Introduced
1.13.0
Fixed
1.13.1

Affected versions

1.*

1.13.0

npm / dojo

Package

Name
dojo
View open source insights on deps.dev
Purl
pkg:npm/dojo

Affected ranges

Type
SEMVER
Events
Introduced
1.12.0
Fixed
1.12.4

npm / dojo

Package

Name
dojo
View open source insights on deps.dev
Purl
pkg:npm/dojo

Affected ranges

Type
SEMVER
Events
Introduced
1.11.0
Fixed
1.11.6

npm / dojo

Package

Name
dojo
View open source insights on deps.dev
Purl
pkg:npm/dojo

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.10.10