[Pkg-javascript-devel] Bug#603513: yui: multiple xss issues in included swf files
Moritz Muehlenhoff
jmm at inutil.org
Wed Nov 24 20:47:31 UTC 2010
On Sun, Nov 14, 2010 at 03:53:48PM -0500, Michael Gilbert wrote:
> Package: yui
> Version: 2.5.0-1
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for yui.
>
> CVE-2010-4207[0]:
> | Cross-site scripting (XSS) vulnerability in the Flash component
> | infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla,
> | Moodle, and other products, allows remote attackers to inject
> | arbitrary web script or HTML via vectors related to
> | charts/assets/charts.swf.
>
> CVE-2010-4208[1]:
> | Cross-site scripting (XSS) vulnerability in the Flash component
> | infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla,
> | Moodle, and other products, allows remote attackers to inject
> | arbitrary web script or HTML via vectors related to
> | uploader/assets/uploader.swf.
>
> CVE-2010-4209[2]:
> | Cross-site scripting (XSS) vulnerability in the Flash component
> | infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1
> | through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to swfstore/swfstore.swf.
>
> These are fixed in upstream 2.8.2. I couldn't find the patches, and
> you're going to need source for the affected swf files anyway (i.e. fix
> bug #591199 first).
Jaldhar, what's the status of this security bug?
Cheers,
Moritz
More information about the Pkg-javascript-devel
mailing list