CVE-2013-4939

Name of the Vulnerable Software and Affected Versions YUI versions 3.0.0 through 3.9.1 Moodle versions prior to 2.1.10 Moodle versions 2.2.x prior to 2.2.11 Moodle versions 2.3.x prior to 2.3.8 Moodle versions 2.4.x prior to 2.4.5 Moodle versions 2.5.x prior to 2.5.1

Description A cross-site scripting (XSS) issue exists in the IO Utility component, specifically in io.swf, allowing remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. This affects various products, including Moodle, that utilize YUI. The uploader.swf and io.swf utilities are vulnerable to script injection in the URL.

Recommendations For YUI versions 3.0.0 through 3.9.1: Delete self-hosted copies of the vulnerable files if not in use, use the Yahoo! CDN hosted files, or use the patched files provided by YUI. For Moodle versions prior to 2.1.10: Update to version 2.1.10 or later. For Moodle versions 2.2.x prior to 2.2.11: Update to version 2.2.11 or later. For Moodle versions 2.3.x prior to 2.3.8: Update to version 2.3.8 or later. For Moodle versions 2.4.x prior to 2.4.5: Update to version 2.4.5 or later. For Moodle versions 2.5.x prior to 2.5.1: Update to version 2.5.1 or later.