Plateforme
nodejs
Composant
dijit
Corrigé dans
1.11.12
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.11.11
CVE-2020-4051 describes a Cross-Site Scripting (XSS) vulnerability affecting the Dojo Dijit Editor’s LinkDialog plugin. This vulnerability allows an attacker to inject malicious scripts, potentially leading to data theft or session hijacking. The vulnerability impacts versions of Dojo Dijit prior to 1.11.11, and a patch is available in version 1.11.11 and later releases.
The XSS vulnerability in Dojo Dijit’s LinkDialog plugin allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with the LinkDialog. This can be exploited to steal sensitive information, such as cookies and session tokens, allowing the attacker to impersonate the user. The attack typically involves crafting a malicious URL or input that, when processed by the LinkDialog, executes the attacker's JavaScript. Successful exploitation could lead to account takeover and unauthorized access to data within the application using the Dojo Dijit Editor.
CVE-2020-4051 has not been widely reported as being actively exploited in the wild. Public proof-of-concept (PoC) code is not readily available. The vulnerability was disclosed on 2020-06-15 and a patch was released shortly thereafter. It is not listed on the CISA KEV catalog.
Applications utilizing the Dojo Dijit Editor plugin, particularly those handling user-supplied data within the LinkDialog, are at risk. This includes web applications built with Node.js and those leveraging Dojo Dijit as a core component. Legacy applications using older, unpatched versions of Dojo Dijit are particularly vulnerable.
• nodejs / supply-chain:
npm list dijit• nodejs / supply-chain:
npm audit dijit• generic web: Inspect the HTML source code of pages using the Dojo Dijit Editor for any unusual JavaScript code injected into the LinkDialog.
disclosure
Statut de l'Exploit
EPSS
0.22% (percentile 44%)
Vecteur CVSS
The primary mitigation for CVE-2020-4051 is to upgrade to a patched version of Dojo Dijit, specifically version 1.11.11 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on user-supplied data within the LinkDialog to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the LinkDialog and verifying that it is not executed.
Mettez à jour la bibliothèque Dijit à la version 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4 ou 1.16.3, ou à une version ultérieure contenant la correction pour la vulnérabilité XSS dans le plugin LinkDialog de l'éditeur. Cela empêchera l'exécution de scripts non autorisés dans le contexte de l'application.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-4051 is a Cross-Site Scripting (XSS) vulnerability in the Dojo Dijit Editor’s LinkDialog plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Dojo Dijit versions prior to 1.11.11. Check your dependencies to determine if you are vulnerable.
Upgrade to Dojo Dijit version 1.11.11 or later to resolve the vulnerability. Input validation is a temporary workaround.
There are no widespread reports of CVE-2020-4051 being actively exploited at this time.
Refer to the Dojo Dijit GitHub repository for more information: https://github.com/dojo/dijit/
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.