Skip to content

Prototype Pollution in Dojox

Low severity GitHub Reviewed Published Mar 10, 2020 in dojo/dojox • Updated Jan 9, 2023

Package

npm dojox (npm)

Affected versions

< 1.11.10
>= 1.12.0, < 1.12.8
>= 1.13.0, < 1.13.7
>= 1.14.0, < 1.14.6
>= 1.15.0, < 1.15.3
>= 1.16.0, < 1.16.2

Patched versions

1.11.10
1.12.8
1.13.7
1.14.6
1.15.3
1.16.2

Description

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution.

Affected Area:

//https://github.com/dojo/dojox/blob/master/jq.js#L442
		var tobj = {};
		for(var x in props){
			// the "tobj" condition avoid copying properties in "props"
			// inherited from Object.prototype.  For example, if obj has a custom
			// toString() method, don't overwrite it with the toString() method
			// that props inherited from Object.prototype
			if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
				if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
					if(dojo.isArray(props[x])){
						obj[x] = props[x];
					}else{
						obj[x] = jqMix(obj[x], props[x]);
					}
				}else{
					obj[x] = props[x];
				}

References

@dylans dylans published to dojo/dojox Mar 10, 2020
Reviewed Mar 10, 2020
Published to the GitHub Advisory Database Mar 10, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(60th percentile)

Weaknesses

CVE ID

CVE-2020-5259

GHSA ID

GHSA-3hw5-q855-g6cw

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.