Description

YUI is a free, open source JavaScript and CSS library for building richly interactive web applications.

A security vulnerability was discovered by @soiaxx in YUI 2 involving self-hosted uploader.swf files. This vulnerability impacts YUI 2 versions 2.5.0 through 2.9.0 and allows arbitrary JavaScript to be run by passing in a query string parameter such as this one:

uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//

This problem is not reproducible in YUI 3.

Remediation

If you are using or even merely hosting any YUI 2 .swf file, please take steps to remove these files immediately from your hosts.
YUI 2 is an end-of-lifed project and is no longer supported. All YUI 2 .swf files have been removed from the Yahoo CDN. If your site was taking advantage of the presence of these files on the Yahoo CDN they will no longer be available.

References

Security Bulletin: Addressing a Vulnerability in YUI 2.5.0 through YUI 2.9.0

YUI 'uploader.swf' Cross Site Scripting Vulnerability

YUI Security Issue found in uploader.swf

Related Vulnerabilities

WordPress Plugin Launcher:Coming Soon & Maintenance Mode Cross-Site Scripting (1.0.10)

WordPress Plugin WP eCommerce Multiple Vulnerabilities (3.9.1)

Joomla! Core 1.6.x Cross-Site Scripting (1.6.0 - 1.6.6)

WordPress Plugin My Wish List Cross-Site Scripting (1.4.1)

WordPress Plugin YITH WooCommerce Ajax Product Filter Cross-Site Scripting (3.11.0)

Severity

High

Classification

CVE-2013-6780 CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

XSS