CVE-2010-2273

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://bugs.dojotoolkit.org/ticket/10773	Exploit
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/	Patch Vendor Advisory
http://secunia.com/advisories/38964	Vendor Advisory
http://secunia.com/advisories/40007	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/	Exploit
http://www.vupen.com/english/advisories/2010/1281	Vendor Advisory
http://bugs.dojotoolkit.org/ticket/10773	Exploit
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/	Patch Vendor Advisory
http://secunia.com/advisories/38964	Vendor Advisory
http://secunia.com/advisories/40007	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21431472
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/	Exploit
http://www.vupen.com/english/advisories/2010/1281	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dojotoolkit:dojo:1.0:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.0.1:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.0.2:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.1:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.1.1:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.2:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.2.1:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.2.2:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.2.3:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.3:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.3.1:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.3.2:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.4:::::::*
	cpe:2.3:a:dojotoolkit:dojo:1.4.1:::::::*

History

21 Nov 2024, 01:16

Type	Values Removed	Values Added
References	~~() http://bugs.dojotoolkit.org/ticket/10773 - Exploit~~	() http://bugs.dojotoolkit.org/ticket/10773 - Exploit
References	~~() http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/ - Patch, Vendor Advisory~~	() http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/ - Patch, Vendor Advisory
References	~~() http://secunia.com/advisories/38964 - Vendor Advisory~~	() http://secunia.com/advisories/38964 - Vendor Advisory
References	~~() http://secunia.com/advisories/40007 - Vendor Advisory~~	() http://secunia.com/advisories/40007 - Vendor Advisory
References	~~() http://www-01.ibm.com/support/docview.wss?uid=swg21431472 -~~	() http://www-01.ibm.com/support/docview.wss?uid=swg21431472 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958 -
References	~~() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994 -~~	() http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994 -
References	~~() http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/ - Exploit~~	() http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/ - Exploit
References	~~() http://www.vupen.com/english/advisories/2010/1281 - Vendor Advisory~~	() http://www.vupen.com/english/advisories/2010/1281 - Vendor Advisory

Information

Published : 2010-06-15 14:30

Updated : 2024-11-21 01:16

NVD link : CVE-2010-2273

Mitre link : CVE-2010-2273

CVE.ORG link : CVE-2010-2273

JSON object : View

Products Affected

dojotoolkit

dojo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2010-2273", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2010-06-15T14:30:01.420", "references": [{"url": "http://bugs.dojotoolkit.org/ticket/10773", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38964", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/40007", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21431472", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958", "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994", "source": "cve@mitre.org"}, {"url": "http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2010/1281", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://bugs.dojotoolkit.org/ticket/10773", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/38964", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/40007", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21431472", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2010/1281", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Dojo v1.0.x anterior a v1.0.3, v1.1.x anterior a v1.1.2, v1.2.x anterior a v1.2.4, v1.3.x anterior a v1.3.3, y v1.4.x anterior a 1.4.2 permite a atacantes remotos inyectar c\u00f3digo web o HTML a trav\u00e9s de vectores sin especificar, posiblemente relacionados con dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, y util/buildscripts/jslib/buildUtil.js, como se demostr\u00f3 con parametros (1) dojoUrl y (2) testUrl de util/doh/runner.html."}], "lastModified": "2024-11-21T01:16:17.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B97B59B4-4B4C-4506-8FDF-FA6ADCE0D128"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03BC2181-EB91-4E3C-A8D1-EB10A8C931D9"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A01BDB4-3A20-4834-B9AA-712359938834"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F26DD9CB-1C3A-4C92-A012-86BBE1E02488"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A30618B0-5361-44E6-A92E-F37C2C597E2E"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1A83DF6-675C-4AFA-BABC-65C6E4C73215"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAA89367-3736-470C-9AB0-C2F3264837AC"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5116D8F-B46F-404A-804A-26EFD7FA1AFE"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB69EAEF-21A2-48D4-9A11-674A900E6B2C"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "111D0158-345D-45DD-81F5-51E4A95E61B9"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65D44E2A-CAED-4B16-AAF3-A3460341D1ED"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0587636C-C1CC-4F28-AD99-5C5DD6899337"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3DED8A3-F451-43EB-9FE1-F3AB5E935754"}, {"criteria": "cpe:2.3:a:dojotoolkit:dojo:1.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "078F33DC-B71C-4777-A1D6-313A82780592"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10