Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.
Masato Kinugawa discovered a security flaw in the SWF component of the
dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.
After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including
dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in
Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.
Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier
New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:
Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.
1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.
CVSS Severity (2.0)
CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2
CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to
ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through
ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through
dojo.publish, introducing a cross-site scripting vulnerability.
dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses
dojox/embed/Flash if unsanitised user input were passed to it.
2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.
What can I do to prevent this from happening in the future?
There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.
If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!