Description
Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js in Dojo Toolkit SDK before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the theme parameter, as demonstrated by an attack against dijit/tests/form/test_Button.html.
Affected products
- dojotoolkit / dojo1.4.1
- dojotoolkit / dojo0.1.0 – 0.1.0
- dojotoolkit / dojo0.2.0 – 0.2.0
- dojotoolkit / dojo0.2.1 – 0.2.1
- dojotoolkit / dojo0.2.2 – 0.2.2
- dojotoolkit / dojo0.3.0 – 0.3.0
- dojotoolkit / dojo0.3.1 – 0.3.1
- dojotoolkit / dojo0.4.0 – 0.4.0
- dojotoolkit / dojo0.4.1 – 0.4.1
- dojotoolkit / dojo0.4.2 – 0.4.2
- dojotoolkit / dojo0.4.3 – 0.4.3
- dojotoolkit / dojo0.9.0 – 0.9.0
- dojotoolkit / dojo0.9.0 – 0.9.0
- dojotoolkit / dojo1.0 – 1.0
- dojotoolkit / dojo1.0.1 – 1.0.1
- dojotoolkit / dojo1.0.2 – 1.0.2
- dojotoolkit / dojo1.1 – 1.1
- dojotoolkit / dojo1.1.1 – 1.1.1
- dojotoolkit / dojo1.2 – 1.2
- dojotoolkit / dojo1.2.1 – 1.2.1
- dojotoolkit / dojo1.2.2 – 1.2.2
- dojotoolkit / dojo1.2.3 – 1.2.3
- dojotoolkit / dojo1.3 – 1.3
- dojotoolkit / dojo1.3.1 – 1.3.1
- dojotoolkit / dojo1.3.2 – 1.3.2
- dojotoolkit / dojo1.4 – 1.4
References
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/1281
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
- MISChttp://bugs.dojotoolkit.org/ticket/10773
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
- VENDOR_ADVISORYhttp://secunia.com/advisories/38964
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
- MISChttp://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
- VENDOR_ADVISORYhttp://secunia.com/advisories/40007
- MISChttp://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
- MISChttp://www-01.ibm.com/support/docview.wss?uid=swg21431472