Advisories for Npm/Dojo package

All versions of package dojo is vulnerable to Prototype Pollution via the setObject function.

Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.

In affected versions of dojo, the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

Dojo Objective Harness (DOH) contains a Cross Site Scripting (XSS) vulnerability that can result in a victim being attacked through their browser, deliver malware, steal HTTP cookies, or bypass CORS trust. This attack appear to be exploitable when victims are lured to a website under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge.

In Dojo Toolkit, there is unescaped string injection in dojox/Grid/DataGrid.

dijit.Editor in Dojo Toolkit allows XSS via the onload attribute of an SVG element.