[Pkg-javascript-devel] Bug#693608: yui: multiple cross-site scripting issues in the flash component infrastructure

Nico Golde nion at debian.org
Sun Nov 18 14:29:05 UTC 2012


Package: yui
Severity: grave
Tags: security

Hi,
the following vulnerabilities were published for yui.

CVE-2012-5883[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x
| and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
| 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore.swf, a similar issue to
| CVE-2010-4209.

CVE-2012-5882[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to
| uploader.swf, a similar issue to CVE-2010-4208.

CVE-2012-5881[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to charts.swf,
| a similar issue to CVE-2010-4207.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883
    http://security-tracker.debian.org/tracker/CVE-2012-5883
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882
    http://security-tracker.debian.org/tracker/CVE-2012-5882
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881
    http://security-tracker.debian.org/tracker/CVE-2012-5881
    http://yuilibrary.com/support/20121030-vulnerability/

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20121118/032caf7d/attachment.pgp>


More information about the Pkg-javascript-devel mailing list