Vulnerability Directory | CVE-2020-4051 | Dojo

Overview

Dijit is a widget and UI component library built on Dojo that provides accessible, themeable, and feature-rich form controls, layout containers, editors, and interactive elements for building enterprise web applications.

‍

A low-severity Cross-Site Scripting (XSS) vulnerability (CVE-2020-4051) has been identified in Dijit. The view source feature allows attackers to bypass content restrictions and inject HTML attributes and JavaScript event handlers, leading to arbitrary code execution.

‍

Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

‍

Details

Module Info

Product: Dojo
Affected packages: dijit
Affected versions:
<1.11.10,
>=1.12.0 <1.12.9,
>=1.13.0 <1.13.8,
>=1.14.0 <1.14.7,
>=1.15.0 <1.15.4,
>=1.16.0 <1.16.3
GitHub repository: https://github.com/dojo/dijit
Published packages: https://www.npmjs.com/package/dijit
Package manager: npm
Fixed in: NES for Dojo v1.7.5, OSS 1.11.10, OSS v1.12.9, OSS v1.13.8, OSS v1.14.7, OSS v1.15.4, OSS v1.16.3

‍

Vulnerability Info

This low-severity vulnerability is found in many versions of Dojo less than 1.16.3. See the affected versions above for specific details.

‍

The setValue method in dijit/_editor/plugins/LinkDialog.js creates anchor elements by substituting user input into an HTML template without sanitizing the textInput (Description) field. While the URL field was properly escaped, the Description field was not, allowing HTML injection.

‍

Attackers can inject malicious payloads like <img src=x onerror=alert(1)> in the Description field which produces executable HTML. When the link is inserted into the editor, the injected JavaScript executes in the context of the page.

‍