Description

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

Remediation

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

http://yuilibrary.com/support/20130515-vulnerability/

https://moodle.org/mod/forum/discuss.php?d=232496

Related Vulnerabilities

CVE-2020-17530 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.binding.samsungtv

CVE-2023-31062 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2017-1000427 Vulnerability in maven package org.webjars.bower:marked

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war

Severity

Critical

Classification

CWE-79

Tags

Patch Vendor Advisory