Plateforme
nodejs
Composant
dojox
Corrigé dans
1.14.0
CVE-2018-15494 describes a critical string injection vulnerability discovered in Dojo Toolkit versions before 1.14.0. This flaw allows attackers to inject arbitrary strings, potentially leading to cross-site scripting (XSS) attacks. Affected versions include all releases prior to 1.14.0. A patch is available in version 1.14.0.
The vulnerability stems from improper escaping of strings within the dojox/Grid/DataGrid component. An attacker can craft malicious input that, when processed by the DataGrid, results in the injection of arbitrary strings into the rendered HTML. This can lead to XSS, allowing an attacker to execute arbitrary JavaScript code in the victim's browser. Successful exploitation could result in session hijacking, defacement of the web application, or theft of sensitive information. The impact is particularly severe because Dojo Toolkit is used in numerous web applications, potentially affecting a wide range of users.
CVE-2018-15494 was publicly disclosed on October 15, 2018. While no active exploitation campaigns have been definitively linked to this vulnerability, the high CVSS score (9.8) and the potential for widespread impact make it a significant risk. Public proof-of-concept exploits are available, demonstrating the ease with which the vulnerability can be exploited. It is not listed on CISA KEV as of this writing.
Web applications that utilize Dojo Toolkit version 1.14.0 or earlier are at risk. This includes applications built using the Dojo Toolkit framework, particularly those that rely heavily on the dojox/Grid/DataGrid component for displaying data. Shared hosting environments where multiple applications share the same Dojo Toolkit installation are also at increased risk.
• nodejs:
npm list dojoCheck the version reported. If it's less than 1.14.0, the system is vulnerable.
• generic web:
Inspect the Dojo Toolkit version being used by the application. This can often be found in the HTML source code or by examining the JavaScript files being loaded.
• generic web:
Review application logs for suspicious activity related to the dojox/Grid/DataGrid component, such as unusual characters or patterns in user input.
disclosure
Statut de l'Exploit
EPSS
0.64% (percentile 70%)
Vecteur CVSS
The primary mitigation for CVE-2018-15494 is to upgrade to Dojo Toolkit version 1.14.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on all user-supplied data used within the dojox/Grid/DataGrid component. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads may also provide some protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a DataGrid field and verifying that it is properly sanitized.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2018-15494 is a critical vulnerability in Dojo Toolkit versions before 1.14.0 that allows attackers to inject arbitrary strings, potentially leading to XSS.
Yes, if you are using Dojo Toolkit versions prior to 1.14.0, you are vulnerable to this string injection flaw.
Upgrade to Dojo Toolkit version 1.14.0 or later to resolve this vulnerability. Implement input validation and output encoding as a temporary workaround.
While no confirmed active exploitation campaigns are publicly known, the high CVSS score and availability of PoCs indicate a significant risk.
Refer to the Dojo Toolkit project's security advisories for detailed information: https://dojotoolkit.org/security/
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.