[Pkg-javascript-devel] Bug#603513: yui: multiple xss issues in included swf files

Michael Gilbert michael.s.gilbert at gmail.com
Sun Nov 14 20:53:48 UTC 2010


Package: yui
Version: 2.5.0-1
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for yui.

CVE-2010-4207[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| charts/assets/charts.swf.

CVE-2010-4208[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla,
| Moodle, and other products, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to
| uploader/assets/uploader.swf.

CVE-2010-4209[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1
| through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore/swfstore.swf.

These are fixed in upstream 2.8.2.  I couldn't find the patches, and
you're going to need source for the affected swf files anyway (i.e. fix
bug #591199 first).

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4207
    http://security-tracker.debian.org/tracker/CVE-2010-4207
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4208
    http://security-tracker.debian.org/tracker/CVE-2010-4208
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4209
    http://security-tracker.debian.org/tracker/CVE-2010-4209





More information about the Pkg-javascript-devel mailing list