CVE-2012-3414

Name of the Vulnerable Software and Affected Versions SWFUpload versions 2.2.0.1 and earlier WordPress versions prior to 3.3.2 TinyMCE Image Manager version 1.1

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the ExternalInterface.call function. This could potentially lead to unauthorized actions on behalf of the user.

Recommendations For SWFUpload versions 2.2.0.1 and earlier, consider disabling the ExternalInterface.call function until a patch is available. For WordPress versions prior to 3.3.2, update to version 3.3.2 or later. For TinyMCE Image Manager version 1.1, avoid using the movieName parameter in the affected API endpoint until the issue is resolved.