CVE-2019-10785
MEDIUMdojox < 1.11.9 - Cross-Site Scripting via Incomplete XML Encoding
Title source: llmDescription
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C
Exploit, Third Party Advisory x_refsource_misc
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
47.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
debian/debian_linux
8.0
linuxfoundation/dojox
1.11.0 - 1.11.9
npm/dojox
0 - 1.11.9npm
Published
Feb 13, 2020
Tracked Since
Feb 18, 2026