CVE-2020-5259 — Vulnetix

CVE-2020-5259 PUBLISHED

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

EPSS 0.28% · 51.5th percentile

Risk Scores

EPSS Score

0.28%

51.5th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	dojo	1.11.0+dfsg-1, 0
Ubuntu:Pro:20.04:LTS	dojo	1.15.0+dfsg1-1, 1.15.0+dfsg1-1ubuntu0.1~esm1, 0
Ubuntu:Pro:16.04:LTS	dojo	*, 1.10.4+dfsg-2, 0

Exploit Intelligence

https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw (nist-nvd)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Apache synapse 反序列化 CVE–2017–15708 (github-poc)
Proof of concept for CVE-2016-8858 (github-poc)

…and 1120 more exploits

Timeline

Apr 30, 2017 PoC Published
Mar 10, 2020 CVE Published
Mar 11, 2020 CVE Updated
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Jun 28, 2021 PoC Published
Aug 24, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2020-5259 third-party-advisory
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw third-party-advisory
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-5259 third-party-advisory

Open in Interactive Console →