{"containers": {"cna": {"affected": [{"product": "dojox", "vendor": "dojo", "versions": [{"status": "affected", "version": "< 1.11.10"}, {"status": "affected", "version": ">= 1.12.0, < 1.12.8"}, {"status": "affected", "version": ">= 1.13.0, < 1.13.7"}, {"status": "affected", "version": ">= 1.14.0, < 1.14.6"}, {"status": "affected", "version": ">= 1.15.0, < 1.15.3"}, {"status": "affected", "version": ">= 1.16.0, < 1.16.2"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-11T20:06:02.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}], "source": {"advisory": "GHSA-3hw5-q855-g6cw", "discovery": "UNKNOWN"}, "title": "Prototype Pollution in Dojox", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5259", "STATE": "PUBLIC", "TITLE": "Prototype Pollution in Dojox"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dojox", "version": {"version_data": [{"version_value": "< 1.11.10"}, {"version_value": ">= 1.12.0, < 1.12.8"}, {"version_value": ">= 1.13.0, < 1.13.7"}, {"version_value": ">= 1.14.0, < 1.14.6"}, {"version_value": ">= 1.15.0, < 1.15.3"}, {"version_value": ">= 1.16.0, < 1.16.2"}]}}]}, "vendor_name": "dojo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw", "refsource": "CONFIRM", "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"name": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da", "refsource": "MISC", "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}]}, "source": {"advisory": "GHSA-3hw5-q855-g6cw", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.035Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5259", "datePublished": "2020-03-10T17:50:14.000Z", "dateReserved": "2020-01-02T00:00:00.000Z", "dateUpdated": "2024-08-04T08:22:09.035Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8FE926F0-90A5-4A7D-9C47-15B5D220D9AD", "versionEndExcluding": "1.11.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B998EEAA-ED31-4484-B7FE-D984B1ED0A07", "versionEndExcluding": "1.12.8", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0A7B41CB-57BF-418C-B449-FFDA07D13BAB", "versionEndExcluding": "1.13.7", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4273C6F4-9F0C-49D1-B18C-B333C767084A", "versionEndExcluding": "1.14.6", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4869AB30-553C-44D1-A946-AB51D440D2F4", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CCC82759-D49E-4D83-A4C1-7C59BE897A32", "versionEndExcluding": "1.16.2", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}, {"lang": "es", "value": "En las versiones afectadas de dojox (paquete NPM), el m\u00e9todo jqMix es vulnerable a una Contaminaci\u00f3n de Prototipo. La Contaminaci\u00f3n de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. Un atacante manipula estos atributos para sobrescribir o contaminar un prototipo de objeto de la aplicaci\u00f3n JavaScript del objeto base mediante la inyecci\u00f3n de otros valores. Esto ha sido parcheado en las versiones 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 y 1.16.2"}], "id": "CVE-2020-5259", "lastModified": "2024-11-21T05:33:47.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-10T18:15:12.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}