Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207.

According to its self-reported version number, YUI is at least 3.0.0 and prior to 3.10.0. Therefore, it may be affected by a cross-site scripting vulnerability via YUI .swf files used in the IO Utility and Uploader components.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, YUI is at least 2.4.0 and prior to 3.0.0. Therefore, it may be affected by a cross-site scripting vulnerability via YUI .swf files.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The YUI team reports : Vulnerability in YUI 2.4.0 through YUI 2.9.0 A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.

If your site loads YUI 2 from a CDN (yui.yahooapis.com, ajax.googleapis.com, etc.) and not from your own domain, you are not affected. YUI 3 is not affected by this issue.

A Bugzilla Security Advisory reports : The following security issues have been discovered in Bugzilla : Information Leak If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential.

Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not).

Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. Cross-Site Scripting Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS.

A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file.

ID	Name	Product	Family	Severity
112415	YUI 3.0.0 < 3.10.0 Cross-site Scripting	Web App Scanning	Component Vulnerability	medium
112414	YUI 2.4.0 < 3.0.0 Cross-site Scripting	Web App Scanning	Component Vulnerability	medium
63070	FreeBSD : YUI JavaScript library -- JavaScript injection exploits in Flash components (aa4f86af-3172-11e2-ad21-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium
62956	FreeBSD : bugzilla -- multiple vulnerabilities (2b841f88-2e8d-11e2-ad21-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-5881

medium

Tenable Plugins

medium

medium

medium

medium