dijit 编辑器的 LinkDialog 插件中的跨站脚本 (Cross-site Scripting)
平台
nodejs
组件
dijit
修复版本
1.11.12
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.11.11
CVE-2020-4051 describes a Cross-Site Scripting (XSS) vulnerability affecting the Dojo Dijit Editor’s LinkDialog plugin. This vulnerability allows an attacker to inject malicious scripts, potentially leading to data theft or session hijacking. The vulnerability impacts versions of Dojo Dijit prior to 1.11.11, and a patch is available in version 1.11.11 and later releases.
影响与攻击场景翻译中…
The XSS vulnerability in Dojo Dijit’s LinkDialog plugin allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with the LinkDialog. This can be exploited to steal sensitive information, such as cookies and session tokens, allowing the attacker to impersonate the user. The attack typically involves crafting a malicious URL or input that, when processed by the LinkDialog, executes the attacker's JavaScript. Successful exploitation could lead to account takeover and unauthorized access to data within the application using the Dojo Dijit Editor.
利用背景翻译中…
CVE-2020-4051 has not been widely reported as being actively exploited in the wild. Public proof-of-concept (PoC) code is not readily available. The vulnerability was disclosed on 2020-06-15 and a patch was released shortly thereafter. It is not listed on the CISA KEV catalog.
哪些人处于风险中翻译中…
Applications utilizing the Dojo Dijit Editor plugin, particularly those handling user-supplied data within the LinkDialog, are at risk. This includes web applications built with Node.js and those leveraging Dojo Dijit as a core component. Legacy applications using older, unpatched versions of Dojo Dijit are particularly vulnerable.
检测步骤翻译中…
• nodejs / supply-chain:
npm list dijit• nodejs / supply-chain:
npm audit dijit• generic web: Inspect the HTML source code of pages using the Dojo Dijit Editor for any unusual JavaScript code injected into the LinkDialog.
攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.22% (44% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
- Privileges Required
- 低 — 任何有效用户账户均可。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 无 — 无可用性影响。
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2020-4051 is to upgrade to a patched version of Dojo Dijit, specifically version 1.11.11 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on user-supplied data within the LinkDialog to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the LinkDialog and verifying that it is not executed.
修复方法
将 Dijit 库更新到 1.11.11、1.12.9、1.13.8、1.14.7、1.15.4 或 1.16.3 版本,或包含 Editor 中 LinkDialog 插件 XSS 漏洞修复的更高版本。 这将防止在应用程序上下文中执行未经授权的脚本。
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2020-4051 — XSS in Dojo Dijit Editor LinkDialog?
CVE-2020-4051 is a Cross-Site Scripting (XSS) vulnerability in the Dojo Dijit Editor’s LinkDialog plugin, allowing attackers to inject malicious scripts.
Am I affected by CVE-2020-4051 in Dojo Dijit Editor LinkDialog?
You are affected if you are using Dojo Dijit versions prior to 1.11.11. Check your dependencies to determine if you are vulnerable.
How do I fix CVE-2020-4051 in Dojo Dijit Editor LinkDialog?
Upgrade to Dojo Dijit version 1.11.11 or later to resolve the vulnerability. Input validation is a temporary workaround.
Is CVE-2020-4051 being actively exploited?
There are no widespread reports of CVE-2020-4051 being actively exploited at this time.
Where can I find the official Dojo Dijit advisory for CVE-2020-4051?
Refer to the Dojo Dijit GitHub repository for more information: https://github.com/dojo/dijit/