Bug 1831010 (CVE-2019-10785)

Summary: CVE-2019-10785 dojo: cross-site scripting via dojox.xmpp.util.xmlEncode
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, bkearney, extras-orphan, frenaud, mmraka, rcritten, tlestach, tscherf, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dojox 1.16.1, dojox 1.15.2, dojox 1.14.5, dojox 1.13.6, dojox 1.12.7, dojox 1.11.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dojox. Cross-site scripting is possible as only the first occurrence of each character is encoded. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 16:32:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1831011    
Bug Blocks: 1831012    

Description msiddiqu 2020-05-04 13:40:54 UTC 
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.

References:

https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Comment 1 msiddiqu 2020-05-04 13:41:25 UTC 
Created dojo tracking bugs for this issue:

Affects: epel-all [bug 1831011]
Comment 3 Marco Benatto 2020-05-05 19:14:40 UTC 
Statement:

This flaw affects the XML encoding used on XMPP implementation at Dojo, although the FreeIPA versions shipped with Red Hat Enterprise Linux 6, 7 and 8 it doesn't make use of this specific API and are not affected by this issue.
Comment 4 Marco Benatto 2020-05-05 19:16:09 UTC 
Upstream commits for this issue:
https://github.com/dojo/dojox/pull/315/commits/6eb278356ca7b0ac7e9cba6067fcf077d2e3ad9a
https://github.com/dojo/dojox/pull/315/commits/93cd816dc49124d678b2aab0c4faf21028e2d01d
Comment 5 Marco Benatto 2020-05-05 19:16:12 UTC 
External References:

https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
Comment 6 Product Security DevOps Team 2020-05-06 16:32:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10785