Bug 1620362 (CVE-2018-15494)

Summary: CVE-2018-15494 dojo: Cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, andrew, bkearney, ggainey, meissner, mmraka, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dojo 1.14 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-10 08:08:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1620363, 1620364    
Bug Blocks: 1620365    

Description Sam Fowler 2018-08-23 05:16:35 UTC 
Dojo toolkit before version 1.14 is vulnerable to a cross-site scripting (XSS) due to unescaped strings when editing rows in dojox/Grid/DataGrid.


Upstream Patch:

https://github.com/dojo/dojox/pull/283/commits/e92ee87750af8fbc7e474bb8e8661821aa9f88fa
Comment 1 Sam Fowler 2018-08-23 05:17:01 UTC 
Created dojo tracking bugs for this issue:

Affects: epel-all [bug 1620364]
Affects: fedora-all [bug 1620363]
Comment 2 Cedric Buissart 2018-12-12 10:13:29 UTC 
Statement:

Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.