By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-10785

Cross-Site Scripting
Affects
Dojo
in
Dojo
No items found.
Versions
<1.11.10, >=1.12.0 <1.12.8, >=1.13.0 <1.13.7, >=1.14.0 <1.14.6, >=1.15.0 <1.15.3, >=1.16.0 <1.16.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Dojox (or “Dojo Toolkit”) is a collection of optional, extended, and experimental modules for the Dojo Toolkit that provide additional UI widgets, utilities, and advanced features beyond the core Dojo libraries.

A medium-severity Cross-Site Scripting (XSS) vulnerability (CVE-2019-10785) has been identified in Dojox. The XML encoding logic for users of dojox/xmpp and dojox/dtl could allow attackers to inject malicious scripts through unescaped user-supplied content in XML contexts, widget labels, and template attributes, leading to arbitrary code execution.

Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in many versions of Dojox less than 1.16.1. See the affected versions above for specific details.

The vulnerability affected three areas:

  • dojox.xmpp.util.xmlEncode() used inadequate escaping when encoding XML names sent to XMPP servers, potentially affecting servers without proper input validation or users who add the output directly to DOM.
  • dojox.widget.RollingList._getMenuItemForItem() rendered store item labels without escaping, allowing XSS through malicious label content.
  • dojox.dtl.dom.getTemplate() constructed template attributes without quote escaping, enabling attribute-based XSS injection.

This vulnerability could be exploited by:

  • providing crafted content or labels containing special characters (<, >, &, ", ')
  • injecting script tags or event handlers through unescaped content
  • downstream systems that trust the inadequately-escaped output

Mitigation

Dojox version 1.7.x is End-of-Life and will not receive any updates to address this issue. For more information see the Dojo website announcement.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of Dojox and Dojo.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Jonathan Leitschuh (analyst)
Pink arrow
Pink arrow
CVE-2018-15494
CVE-2020-5259
CVE-2021-23450
CVE-2018-6561
CVE-2019-10785
CVE-2020-4051
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-10785
PROJECT Affected
Dojo
Versions Affected
<1.11.10, >=1.12.0 <1.12.8, >=1.13.0 <1.13.7, >=1.14.0 <1.14.6, >=1.15.0 <1.15.3, >=1.16.0 <1.16.1
Published date
December 3, 2025
≈ Fix date
November 26, 2025
Fixed in
NES for Dojo
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Dojo
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.