Description

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html

http://moodle.org/mod/forum/discuss.php?d=160910

http://secunia.com/advisories/41955

http://secunia.com/advisories/42271

http://www.bugzilla.org/security/3.2.8/

http://www.openwall.com/lists/oss-security/2010/11/07/1

http://www.securityfocus.com/archive/1/514622

http://www.securityfocus.com/bid/44420

http://www.securitytracker.com/id?1024683

http://www.vupen.com/english/advisories/2010/2878

http://www.vupen.com/english/advisories/2010/2975

http://yuilibrary.com/support/2.8.2/

Related Vulnerabilities

CVE-2013-2071 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2012-5883 Vulnerability in npm package yui

CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step

CVE-2023-41887 Vulnerability in maven package org.openrefine:database

CVE-2014-4611 Vulnerability in maven package net.jpountz.lz4:lz4

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Patch