CVE-2010-2273

Dojo 1.0.x-1.0.2, 1.1.x-1.1.1, 1.2.x-1.2.3, 1.3.x-1.3.2, 1.4.x-1.4.1 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-2273. PoCs published by Adam Bixby.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Dojo versions prior to 1.4.2. The PoC leverages insufficient sanitization of user-supplied input in the 'dojoUrl' parameter to execute arbitrary JavaScript code in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Adam Bixby · textwebappsmultiple

https://www.exploit-db.com/exploits/33765

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Dojo versions prior to 1.4.2. The PoC leverages insufficient sanitization of user-supplied input in the 'dojoUrl' parameter to execute arbitrary JavaScript code in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Dojo versions prior to 1.4.2

No auth needed

Prerequisites: A vulnerable version of Dojo · User interaction to visit a crafted URL

MITRE ATT&CK