dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. References: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Created dojo tracking bugs for this issue: Affects: epel-all [bug 1831011]
Statement: This flaw affects the XML encoding used on XMPP implementation at Dojo, although the FreeIPA versions shipped with Red Hat Enterprise Linux 6, 7 and 8 it doesn't make use of this specific API and are not affected by this issue.
Upstream commits for this issue: https://github.com/dojo/dojox/pull/315/commits/6eb278356ca7b0ac7e9cba6067fcf077d2e3ad9a https://github.com/dojo/dojox/pull/315/commits/93cd816dc49124d678b2aab0c4faf21028e2d01d
External References: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10785