CVE-2010-4208

Name of the Vulnerable Software and Affected Versions YUI versions 2.5.0 through 2.8.1

Description A cross-site scripting (XSS) issue exists in the Flash component infrastructure of YUI, which can be exploited by remote attackers to inject arbitrary web script or HTML. This is achieved through vectors related to uploader/assets/uploader.swf. The issue affects products that use YUI, such as Bugzilla and Moodle.

Recommendations For YUI versions 2.5.0 through 2.8.1, consider disabling the Flash component infrastructure as a temporary workaround until a patch is available. Restrict access to the uploader/assets/uploader.swf file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.