{"api_version":"1","generated_at":"2026-05-13T03:12:00+00:00","cve":"CVE-2019-10785","urls":{"html":"https://cve.report/CVE-2019-10785","api":"https://cve.report/api/cve/CVE-2019-10785.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-10785","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-10785"},"summary":{"title":"CVE-2019-10785","description":"dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2020-02-13 17:15:00","updated_at":"2023-11-07 03:02:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html","name":"[debian-lts-announce] 20200229 [SECURITY] [DLA 2127-1] dojo security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2127-1] dojo security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C","name":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257%2C","refsource":"","tags":[],"title":"Page not found | Snyk","mime":"text/html","httpstatus":"422","archivestatus":"404"},{"url":"https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr","name":"https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"XSS due to insufficient escape in dojox.xmpp.util.xmlEncode  · Advisory · dojo/dojox · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257,","name":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257,","refsource":"MISC","tags":["Broken Link"],"title":"Invalid vulnerability","mime":"text/html","httpstatus":"404","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-10785","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10785","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"10785","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10785","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10785","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"dojox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10785","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"dojox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-10785","qid":"981589","title":"Nodejs (npm) Security Update for dojox (GHSA-pg97-ww7h-5mjr)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-10785","ASSIGNER":"report@snyk.io","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"dojox","version":{"version_data":[{"version_value":"all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9."}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross-site Scripting"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257,","url":"https://snyk.io/vuln/SNYK-JS-DOJOX-548257,"},{"refsource":"MISC","name":"https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr","url":"https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr"},{"refsource":"MLIST","name":"[debian-lts-announce] 20200229 [SECURITY] [DLA 2127-1] dojo security update","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00033.html"}]},"description":{"description_data":[{"lang":"eng","value":"dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them."}]}},"nvd":{"publishedDate":"2020-02-13 17:15:00","lastModifiedDate":"2023-11-07 03:02:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.15.0","versionEndExcluding":"1.15.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.14.0","versionEndExcluding":"1.14.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.13.0","versionEndExcluding":"1.13.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.12.0","versionEndExcluding":"1.12.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.16.0","versionEndExcluding":"1.16.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.11.0","versionEndExcluding":"1.11.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"10785","Ordinal":"149064","Title":"CVE-2019-10785","CVE":"CVE-2019-10785","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"10785","Ordinal":"1","NoteData":"dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"10785","Ordinal":"2","NoteData":"2020-02-13","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"10785","Ordinal":"3","NoteData":"2020-02-29","Type":"Other","Title":"Modified"}]}}}