In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3. References: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6 Upstream patch: https://github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301
Created dojo tracking bugs for this issue: Affects: epel-6 [bug 1879725] Affects: epel-7 [bug 1879726]
Statement: ipa as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 is not affected by this flaw because it does not use the dijit functionality of dojo.
Flaw summary: Editing a link description in dijit LinkDialog could allow for parsing of < character and lead to cross-site scripting. The patch introduces a filter which is set to replace < with < by default.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-4051