CVE-2019-10785: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2019-10785 affects dojox, a JavaScript framework component, in all versions before 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7, and 1.11.9. The vulnerability was discovered in 2019 and is related to a Cross-site Scripting (XSS) issue in the dojox.xmpp.util component (CVE Mitre, GitHub Advisory).

The vulnerability exists due to insufficient XML escaping in the dojox.xmpp.util.xmlEncode function. The function only encodes the first occurrence of each special character instead of encoding all occurrences, which can lead to XSS vulnerabilities. The issue specifically affects the dojox/xmpp and dojox/dtl components (GitHub Advisory).

The vulnerability potentially enables Cross-site Scripting (XSS) attacks against applications using the affected versions of dojox, particularly those implementing the XMPP functionality. This could allow attackers to execute malicious scripts in the context of the vulnerable application (GitHub Advisory).

Users are advised to upgrade to the patched versions: 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7, or 1.11.9. For users unable to upgrade immediately, the fix can be applied separately as a patch by implementing the changes from pull request #315. Users of Dojo 1.10.x and earlier versions should review the vulnerability and backport the changes as appropriate (GitHub Advisory, Debian Security).