Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for dojo. CVE-2020-5259[0]: | In affected versions of dojox (NPM package), the jqMix method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | ability to inject properties into existing JavaScript language | construct prototypes, such as objects. An attacker manipulates these | attributes to overwrite, or pollute, a JavaScript application object | prototype of the base object by injecting other values. This has been | patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5259 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259 [1] https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw [2] https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da Please adjust the affected versions in the BTS as needed. Regards, Salvatore
