CVE-2010-2273: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

September 11, 2019 (updated August 17, 2021)

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

References

bugs.dojotoolkit.org/ticket/10773
dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
secunia.com/advisories/38964
secunia.com/advisories/40007
www-01.ibm.com/support/docview.wss?uid=swg21431472
www-1.ibm.com/support/docview.wss?uid=swg1LO50833
www-1.ibm.com/support/docview.wss?uid=swg1LO50849
www-1.ibm.com/support/docview.wss?uid=swg1LO50856
www-1.ibm.com/support/docview.wss?uid=swg1LO50896
www-1.ibm.com/support/docview.wss?uid=swg1LO50932
www-1.ibm.com/support/docview.wss?uid=swg1LO50958
www-1.ibm.com/support/docview.wss?uid=swg1LO50994
www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
www.vupen.com/english/advisories/2010/1281
bugs.dojotoolkit.org/ticket/10773
github.com/advisories/GHSA-536q-8gxx-m782
github.com/dojo/dojo/commit/9117ffd5a3863e44c92fcd58564c0da22be858f4
github.com/dojo/dojo/pull/307
nvd.nist.gov/vuln/detail/CVE-2010-2273
www.npmjs.com/advisories/972

Code Behaviors & Features

Detect and mitigate CVE-2010-2273 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →