CVE-2018-1000665

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Dojo Objective Harness (DOH) versions prior to 1.14. The flaw is present in the files unit.html, testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html, and testsDOH/_base/i18nExhaustive.js. These pages do not properly escape text derived from the URL, allowing an attacker to inject arbitrary HTML or JavaScript [1][3]. The affected component is the DOH testing harness, which is typically used in development or testing environments but may be deployed on live servers.

Exploitation

An attacker lures a victim to a crafted URL pointing to one of the vulnerable DOH pages on a target domain. The page processes the unescaped input from the URL, executing attacker-controlled JavaScript in the victim's browser. No authentication or prior access to the target domain is required; the attack relies on the victim visiting the malicious link while authenticated to the target site [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the vulnerable domain. This can result in theft of HTTP cookies, delivery of malware, bypass of CORS trust boundaries, and other actions the victim can perform on the site [1]. The attacker gains the same privileges as the victim user.

Mitigation

The vulnerability is fixed in Dojo version 1.14, released August 10, 2018 [3][4]. Users should upgrade to DOH 1.14 or later. The fix includes escaping text from the URL, commenting out the contents of unit.html, preventing remote script execution, and removing remote URLs from unit test files [3]. No workaround is documented for earlier versions; removing or restricting access to the DOH files on production servers is advised.