Dojo Toolkit Multiple Cross-Site Scripting Vulnerability


Description   (#A vulnerability has been identified in Dojo Toolkit.#A remote attacker could exploit it in order to execute arbitrary Javascript or HTML code by inciting their victim into following a specially formed link.##This vulnerability is located in the following components:#- 'dojox/form/FileUploader' (dojox/form/resources/fileuploader.swf) ;#- 'dojox/form/Uploader' (dojox/form/resources/uploader.swf) ;#- 'dojox/av/FLAudio' (dojox/av/resources/audio.swf) ;#- 'dojox/av/FLVideo' (dojox/av/resources/video.swf) ;#- 'dojox/embed/Flash'.)
     
Vulnerable Products   Vulnerable Software:
Content Manager OnDemand (IBM) - Dojo Toolkit (Dojo Foundation) - 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, ..., 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5FileNet (IBM) - Content Foundation 5.2.0, Content Foundation 5.2.1, Content Foundation 5.2.x, Content Manager 4.5.1, Content Manager 5.0, ..., Content Manager 5.1, Content Manager 5.1.0, Content Manager 5.2.0, Content Manager 5.2.0.x, Content Manager 5.2.1Lotus Domino Server (IBM) - 8.5, 8.5.1, 8.5.1 FP1, 8.5.1 FP2, 8.5.1 FP3, ..., 9.0.1 FP2 IF2, 9.0.1 FP2 IF3, 9.0.1 FP3, 9.0.1 FP3 IF1, 9.0.1 FP3 IF2Lotus iNotes (Domino Web Access) (IBM) - 6.5, 7.0, 7.0.1, 7.0.2, 7.0.3, ..., 9.0.1 FP2, 9.0.1 FP2 IF1, 9.0.1 FP3, 9.0.1 FP3 IF1, 9.0.1 FP3 IF2Lotus Notes (IBM) - 5.0.1, 5.0.1.02, 5.0.10, 5.0.11, 5.0.12, ..., 9.0.1 FP2, 9.0.1 FP2 IF1, 9.0.1 FP3, 9.0.1 FP3 IF1, 9.0.1 FP3 IF2Tivoli Common Reporting (IBM) - 2.1, 2.1.1, 2.1.1.2, 3.1.0.0, 3.1.0.1, 3.1.0.2WebSphere Application Server (IBM) - 8.0, 8.0.0.0, 8.0.0.1, 8.0.0.10, 8.0.0.2, ..., 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9Websphere Process Server (IBM) - 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.0.4, 7.0.0.5Worklight (IBM) - 5.0.5.0, 5.0.5.1, 5.0.6.0, 5.0.6.1, 5.0.6.2, ..., 6.1.0.1, 6.1.0.2, 6.2.0, 6.2.0.1, 6.3.0.0
     
Solution   - 2.0.3: 2.0.3-ICN-FP003.
     
CVE   CVE-2014-8917
     
References   - Dojo Toolkit : Dojo Security Advisory 2014-12-08
http://dojotoolkit.org/blog/dojo-security-advisory-2014-12-08
- IBM : Vulnerabilities in Dojo Toolkit affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-8917)
http://www-01.ibm.com/support/docview.wss?uid=swg21697259
- IBM Security Bulletin: Multiple Vulnerabilities in IBM Notes, iNotes and Domino (CVE-2014-8917, CVE-2015-1902, CVE-2015-1903)
http://www-01.ibm.com/support/docview.wss?uid=swg21883245
- IBM : Cross-Site Scripting vulnerabilities in Dojo affect IBM Business Process Manager (BPM), WebSphere Lombardi Edition (WLE), and WebSphere Process Server (WPS) - CVE-2014-8917
http://www-01.ibm.com/support/docview.wss?uid=swg21883360
- IBM : Multiple vulnerability in Product IBM Tivoli Common Reporting( CVE-2015-0138, CVE-2014-9495,CVE-2014-8917,CVE-2015-0973 ,CVE-2014-3566 ,CVE-2014-6457 ,CVE-2014-6593,CVE-2015-0410,CVE-2014-3569,CVE-2015-0204,CVE-2014-3570)http://www-01.ibm.com/support/docview.wss?uid=swg21903299
- IBM : One vulnerability in IBM FileNet Content Manager and IBM Content Foundation (CVE-2014-8917)
https://www-304.ibm.com/support/docview.wss?uid=swg21697151
- IBM : Multiple Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.11
http://www-01.ibm.com/support/docview.wss?uid=swg21963275
- IBM : Content Navigator affected by dojox/form/resources/*.swf and dojox/av/resources/*.swf XSS vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21696244
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : javascript code in flash clickTAG parameter
3.2.0
XSS - Prevention - GET : 'script' tag in flash clickTAG parameter
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2014-12-09 

 Target Type 
Client 

 Possible exploit 
Remote