In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
Created dojo tracking bugs for this issue:
Affects: epel-6 [bug 1879725]
Affects: epel-7 [bug 1879726]
ipa as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 is not affected by this flaw because it does not use the dijit functionality of dojo.
Editing a link description in dijit LinkDialog could allow for parsing of < character and lead to cross-site scripting. The patch introduces a filter which is set to replace < with < by default.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):