PT-2018-2291 · Dojo Foundation · Dojo Toolkit

Imsebao

Published

2018-02-02

Updated

2022-05-14

CVE-2018-6561

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Dojo Toolkit version 1.13

Description The issue is related to the dijit.Editor component in Dojo Toolkit, which allows for cross-site scripting (XSS) attacks via the onload attribute of an SVG element. This can enable a remote attacker to perform cross-site scripting attacks.

Recommendations For Dojo Toolkit version 1.13, consider disabling the use of SVG elements with the onload attribute in the dijit.Editor component until a patch is available. Restrict access to the dijit.Editor component to minimize the risk of exploitation. Avoid using the onload attribute in SVG elements within the dijit.Editor component until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2019-00417

CVE-2018-6561

GHSA-WP32-WQ34-2RQH

Affected Products

Dojo Toolkit

PT-2018-2291 · Dojo Foundation · Dojo Toolkit

CVE-2018-6561

Weakness Enumeration

Related Identifiers

Affected Products

References · 13