CVE-2010-2273

Name of the Vulnerable Software and Affected Versions Dojo versions 1.0.x through 1.0.2 Dojo versions 1.1.x through 1.1.1 Dojo versions 1.2.x through 1.2.3 Dojo versions 1.3.x through 1.3.2 Dojo versions 1.4.x through 1.4.1

Description Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to files such as dojo/resources/iframe history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js. This issue is demonstrated by the dojoUrl and testUrl parameters to util/doh/runner.html. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser.

Recommendations Upgrade to version 1.4.2 or later for all affected versions of Dojo. As a temporary workaround, consider restricting access to the vulnerable files, such as dojo/resources/iframe history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, until a patch is available. Avoid using the dojoUrl and testUrl parameters in the affected util/doh/runner.html file until the issue is resolved.