Description

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

Remediation

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

http://yuilibrary.com/support/20130515-vulnerability/

https://moodle.org/mod/forum/discuss.php?d=232496

Related Vulnerabilities

CVE-2020-26282 Vulnerability in maven package com.browserup:browserup-proxy-rest

CVE-2020-7746 Vulnerability in maven package org.webjars.bowergithub.chartjs:chart.js

CVE-2020-7760 Vulnerability in maven package org.webjars.npm:codemirror

CVE-2022-31198 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts

CVE-2021-45105 Vulnerability in maven package org.apache.logging.log4j:log4j-core

Severity

Critical

Classification

CWE-79

Tags

Patch Vendor Advisory