Vulnerability Name: CVE-2019-10785 (CCN-176460) Assigned: 2019-04-03 Published: 2020-02-12 Updated: 2020-04-09 Summary: dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. CVSS v3 Severity: 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2019-10785 dojox-cve201910785-xss(176460) XSS due to insufficient escape in dojox.xmpp.util.xmlEncode https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr [debian-lts-announce] 20200229 [SECURITY] [DLA 2127-1] dojo security update https://snyk.io/vuln/SNYK-JS-DOJOX-548257, IBM DataPower Gateway affected by XSS vulnerability (CVE-2019-10785) IBM Tivoli Netcool Impact is affected by an IBM Dojo Toolkit vulnerability (CVE-2019-10785) Multiple vulnerabilities in dojo may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) Multiple vulnerabilities affect IBM Cloud Pak for Automation IBM Security Guardium is affected by multiple vulnerabilities Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2019-10785, CVE-2020-5259, CVE-2020-4051, CVE-2018-15494, CVE-2021-23450) Multiple vulnerabilities in Open Source software used by Cloud Pak System IBM QRadar SIEM includes components with known vulnerabilities Vulnerable Configuration: Configuration 1 :cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.11.0 and < 1.11.9)OR cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.12.0 and < 1.12.7) OR cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.13.0 and < 1.13.6) OR cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.14.0 and < 1.14.5) OR cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.15.0 and < 1.15.2) OR cpe:/a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:* (Version >= 1.16.0 and < 1.16.1) Configuration 2 :cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:business_process_manager:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:* OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:18.0:*:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:19.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_key_lifecycle_manager:4.1.1:*:*:*:*:*:*:* Oval Definitions BACK
linuxfoundation dojox *
linuxfoundation dojox *
linuxfoundation dojox *
linuxfoundation dojox *
linuxfoundation dojox *
linuxfoundation dojox *
debian debian linux 8.0
ibm business process manager 8.5
ibm business process manager 8.6
ibm security guardium 10.5
ibm datapower gateway 2018.4.1.0
ibm security guardium 10.6
ibm tivoli netcool/impact 7.1.0.0
ibm security guardium 11.0
ibm security guardium 11.1
ibm qradar security information and event manager 7.4 -
ibm business automation workflow 18.0
ibm business automation workflow 19.0
ibm security guardium 11.2
ibm business automation workflow 20.0.0.1
ibm cloud pak for automation 20.0.3
ibm security guardium 11.3
ibm security guardium key lifecycle manager 4.1.1
Denotes that component is vulnerable