Description

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

Remediation

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

http://yuilibrary.com/support/20130515-vulnerability/

https://moodle.org/mod/forum/discuss.php?d=232496

Related Vulnerabilities

CVE-2022-1295 Vulnerability in npm package fullpage.js

CVE-2018-3722 Vulnerability in npm package merge-deep

CVE-2018-1000067 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-25857 Vulnerability in maven package org.yaml:snakeyaml

CVE-2011-2093 Vulnerability in maven package com.adobe.blazeds:blazeds-core

Severity

Critical

Classification

CWE-79

Tags

Patch Vendor Advisory