CVE-2020-5259 Information

Feb 14, 2021 cve

Description

In affected versions of dojox (NPM package) the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes such as objects. An attacker manipulates these attributes to overwrite or pollute a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10 1.12.8 1.13.7 1.14.6 1.15.3 and 1.16.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Reference

https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.6

Share on: