Scan free
LOWCVE-2020-4051CVSS 3.7

CVE-2020-4051: XSS in Dojo Dijit Editor LinkDialog

Platform

nodejs

Component

dijit

Fixed in

1.11.12

1.12.1

1.13.1

1.14.1

1.15.1

1.16.1

1.11.11

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2020-4051 describes a Cross-Site Scripting (XSS) vulnerability affecting the Dojo Dijit Editor’s LinkDialog plugin. This vulnerability allows an attacker to inject malicious scripts, potentially leading to data theft or session hijacking. The vulnerability impacts versions of Dojo Dijit prior to 1.11.11, and a patch is available in version 1.11.11 and later releases.

Impact and Attack Scenarios

The XSS vulnerability in Dojo Dijit’s LinkDialog plugin allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with the LinkDialog. This can be exploited to steal sensitive information, such as cookies and session tokens, allowing the attacker to impersonate the user. The attack typically involves crafting a malicious URL or input that, when processed by the LinkDialog, executes the attacker's JavaScript. Successful exploitation could lead to account takeover and unauthorized access to data within the application using the Dojo Dijit Editor.

Exploitation Context

CVE-2020-4051 has not been widely reported as being actively exploited in the wild. Public proof-of-concept (PoC) code is not readily available. The vulnerability was disclosed on 2020-06-15 and a patch was released shortly thereafter. It is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.22% (44% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N3.7LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentdijit
Vendorosv
Affected rangeFixed in
< 1.11.11 – < 1.11.111.11.12
>= 1.12.0, < 1.12.9 – >= 1.12.0, < 1.12.91.12.1
>= 1.13.0, < 1.13.8 – >= 1.13.0, < 1.13.81.13.1
>= 1.14.0, < 1.14.7 – >= 1.14.0, < 1.14.71.14.1
>= 1.15.0, < 1.15.4 – >= 1.15.0, < 1.15.41.15.1
>= 1.16.0, < 1.16.3 – >= 1.16.0, < 1.16.31.16.1
1.11.11

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2020-4051 is to upgrade to a patched version of Dojo Dijit, specifically version 1.11.11 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on user-supplied data within the LinkDialog to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the LinkDialog and verifying that it is not executed.

How to fix

Actualice la biblioteca Dijit a la versión 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4 o 1.16.3, o a una versión posterior que contenga la corrección para la vulnerabilidad XSS en el plugin LinkDialog del Editor. Esto evitará la ejecución de scripts no autorizados en el contexto de la aplicación.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-4051 — XSS in Dojo Dijit Editor LinkDialog?

CVE-2020-4051 is a Cross-Site Scripting (XSS) vulnerability in the Dojo Dijit Editor’s LinkDialog plugin, allowing attackers to inject malicious scripts.

Am I affected by CVE-2020-4051 in Dojo Dijit Editor LinkDialog?

You are affected if you are using Dojo Dijit versions prior to 1.11.11. Check your dependencies to determine if you are vulnerable.

How do I fix CVE-2020-4051 in Dojo Dijit Editor LinkDialog?

Upgrade to Dojo Dijit version 1.11.11 or later to resolve the vulnerability. Input validation is a temporary workaround.

Is CVE-2020-4051 being actively exploited?

There are no widespread reports of CVE-2020-4051 being actively exploited at this time.

Where can I find the official Dojo Dijit advisory for CVE-2020-4051?

Refer to the Dojo Dijit GitHub repository for more information: https://github.com/dojo/dijit/

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs