CVE-2019-10785

Name of the Vulnerable Software and Affected Versions dojox versions prior to 1.16.1 dojox versions prior to 1.15.2 dojox versions prior to 1.14.5 dojox versions prior to 1.13.6 dojox versions prior to 1.12.7 dojox versions prior to 1.11.9

Description The issue is related to the dojox.xmpp.util.xmlEncode function, which only encodes the first occurrence of each character, not all of them, leading to a potential Cross-site Scripting (XSS) vulnerability. This affects users of dojox/xmpp and dojox/dtl. The vulnerability may allow a remote attacker to impact the integrity of data.

Recommendations For dojox versions prior to 1.16.1, upgrade to version 1.16.1. For dojox versions prior to 1.15.2, upgrade to version 1.15.2. For dojox versions prior to 1.14.5, upgrade to version 1.14.5. For dojox versions prior to 1.13.6, upgrade to version 1.13.6. For dojox versions prior to 1.12.7, upgrade to version 1.12.7. For dojox versions prior to 1.11.9, upgrade to version 1.11.9. As a temporary workaround, the change applied in the patch could be added separately. Users of Dojo 1.10.x and earlier should review this change and determine if it impacts them, and backport the change as appropriate.