CVE-2010-2273
Cross-Site Scripting in dojo
Description
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
How to fix CVE-2010-2273
To remediate CVE-2010-2273, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.2+dfsg-1 or later
- —upgrade to 1.13.1 or later
Is CVE-2010-2273 being exploited?
Moderate — EPSS is 43.2%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 1.4.2+dfsg-1
- >= 1.13.0, < 1.13.1