GitHub Advisory DatabaseGHSA-MJ87-8XF8-FP4WCross-Site Scripting in yui
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.4%
Affected versions of yui are vulnerable to cross-site scripting in the uploader.swf and io.swf utilities, via script injection in the url.
Recommendation
YUI has published their recommendation to fix this issue.
Their recommendation is to:
- Delete self-hosted copies of these files if you are not using them
- Use the Yahoo! CDN hosted files
- Use the patched files provided on the YUI Library here.
Affected configurations
References
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678
yuilibrary.com/support/20130515-vulnerability/
github.com/advisories/GHSA-mj87-8xf8-fp4w
lists.apache.org/thread.html/72837f969cdf9b63a7e7337edd069fa3b3950eea7c997cc2ff61aa0c@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/d8b9403dbab85a51255614949938b619bd03b1c944c76c48c6996a0e@%3Cdev.zookeeper.apache.org%3E
moodle.org/mod/forum/discuss.php?d=232496
nvd.nist.gov/vuln/detail/CVE-2013-4939
www.npmjs.com/advisories/332
yuilibrary.com/support/20130515-vulnerability/
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.4%