4.3

CVE-2010-2273

Exploit
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DojotoolkitDojo Version1.0
DojotoolkitDojo Version1.0.1
DojotoolkitDojo Version1.0.2
DojotoolkitDojo Version1.1
DojotoolkitDojo Version1.1.1
DojotoolkitDojo Version1.2
DojotoolkitDojo Version1.2.1
DojotoolkitDojo Version1.2.2
DojotoolkitDojo Version1.2.3
DojotoolkitDojo Version1.3
DojotoolkitDojo Version1.3.1
DojotoolkitDojo Version1.3.2
DojotoolkitDojo Version1.4
DojotoolkitDojo Version1.4.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.55% 0.903
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
Patch
Vendor Advisory
http://secunia.com/advisories/38964
Vendor Advisory
http://bugs.dojotoolkit.org/ticket/10773
Exploit
http://secunia.com/advisories/40007
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
Exploit
http://www.vupen.com/english/advisories/2010/1281
Vendor Advisory