PT-2010-5356 · Yahoo+2 · Yui+2
Published
2010-11-07
·
Updated
2011-02-05
·
CVE-2010-4208
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
YUI versions 2.5.0 through 2.8.1
Description
A cross-site scripting (XSS) issue exists in the Flash component infrastructure of YUI, which can be exploited by remote attackers to inject arbitrary web script or HTML. This is achieved through vectors related to
uploader/assets/uploader.swf. The issue affects products that use YUI, such as Bugzilla and Moodle.Recommendations
For YUI versions 2.5.0 through 2.8.1, consider disabling the Flash component infrastructure as a temporary workaround until a patch is available. Restrict access to the
uploader/assets/uploader.swf file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugzilla
Moodle
Yui