Nathan Partlan

**Name of the Vulnerable Software and Affected Versions** SWFUpload versions 2.2.0.1 and earlier WordPress versions prior to 3.3.2 TinyMCE Image Manager version 1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `movieName` parameter, related to the `ExternalInterface.call` function. This could potentially lead to unauthorized actions on behalf of the user. **Recommendations** For SWFUpload versions 2.2.0.1 and earlier, consider disabling the `ExternalInterface.call` function until a patch is available. For WordPress versions prior to 3.3.2, update to version 3.3.2 or later. For TinyMCE Image Manager version 1.1, avoid using the `movieName` parameter in the affected API endpoint until the issue is resolved.