Candidate: CVE-2020-5259
PublicDate: 2020-03-10 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259
 https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
 https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Description:
 In affected versions of dojox (NPM package), the jqMix method is vulnerable
 to Prototype Pollution. Prototype Pollution refers to the ability to inject
 properties into existing JavaScript language construct prototypes, such as
 objects. An attacker manipulates these attributes to overwrite, or pollute,
 a JavaScript application object prototype of the base object by injecting
 other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7,
 1.14.6, 1.15.3 and 1.16.2
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953587
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N [8.6 HIGH]


Patches_dojo:
upstream_dojo: needs-triage
precise/esm_dojo: DNE
trusty_dojo: ignored (out of standard support)
trusty/esm_dojo: DNE
xenial_dojo: ignored (end of standard support, was needs-triage)
bionic_dojo: needs-triage
eoan_dojo: ignored (reached end-of-life)
focal_dojo: needs-triage
groovy_dojo: not-affected (1.15.3+dfsg1-1)
hirsute_dojo: not-affected (1.15.3+dfsg1-1)
impish_dojo: not-affected (1.15.3+dfsg1-1)
jammy_dojo: not-affected (1.15.3+dfsg1-1)
devel_dojo: not-affected (1.15.3+dfsg1-1)