Skip to content

Prototype Pollution in Dojox

Low severity GitHub Reviewed Published Mar 10, 2020 in dojo/dojox • Updated Jan 9, 2023

Package

npm dojox (npm)

Affected versions

< 1.11.10
>= 1.12.0, < 1.12.8
>= 1.13.0, < 1.13.7
>= 1.14.0, < 1.14.6
>= 1.15.0, < 1.15.3
>= 1.16.0, < 1.16.2

Patched versions

1.11.10
1.12.8
1.13.7
1.14.6
1.15.3
1.16.2

Description

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution.

Affected Area:

//https://github.com/dojo/dojox/blob/master/jq.js#L442
		var tobj = {};
		for(var x in props){
			// the "tobj" condition avoid copying properties in "props"
			// inherited from Object.prototype.  For example, if obj has a custom
			// toString() method, don't overwrite it with the toString() method
			// that props inherited from Object.prototype
			if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
				if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
					if(dojo.isArray(props[x])){
						obj[x] = props[x];
					}else{
						obj[x] = jqMix(obj[x], props[x]);
					}
				}else{
					obj[x] = props[x];
				}

References

@dylans dylans published to dojo/dojox Mar 10, 2020
Reviewed Mar 10, 2020
Published to the GitHub Advisory Database Mar 10, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.217%
(59th percentile)

Weaknesses

CVE ID

CVE-2020-5259

GHSA ID

GHSA-3hw5-q855-g6cw

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.