Description

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html

http://moodle.org/mod/forum/discuss.php?d=160910

http://secunia.com/advisories/41955

http://secunia.com/advisories/42271

http://www.bugzilla.org/security/3.2.8/

http://www.openwall.com/lists/oss-security/2010/11/07/1

http://www.securityfocus.com/archive/1/514622

http://www.securityfocus.com/bid/44420

http://www.securitytracker.com/id?1024683

http://www.vupen.com/english/advisories/2010/2878

http://www.vupen.com/english/advisories/2010/2975

http://yuilibrary.com/support/2.8.2/

Related Vulnerabilities

CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-el

CVE-2023-25763 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2022-36919 Vulnerability in maven package org.jenkins-ci.plugins:coverity

CVE-2023-25761 Vulnerability in maven package org.jenkins-ci.plugins:junit

CVE-2022-24697 Vulnerability in maven package org.apache.kylin:kylin-server-base

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Patch