Detections
Analytics

YUI charts.swf / swfstore.swf / uploader.swf XSS

medium Nessus Plugin ID 50495

Language:

Synopsis

The remote web server hosts at least one SWF file that is affected a cross-site scripting vulnerability.

Description

The version of the YUI library of JavaScript utilities and controls hosted on the remote web server includes at least one SWF file that is affected by an unspecified cross-site scripting vulnerability.

An attacker can leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Either upgrade to YUI version 2.8.2 or later or replace the affected files as described in the YUI advisory. Alternatively,

 - If using Bugzilla, upgrade to version 3.2.8 / 3.4.8 / 3.6.2 / 3.7.3 or later.

 - If using Moodle, upgrade to version 1.9.10 or later.

See Also

http://yuilibrary.com/support/2.8.2/

https://moodle.org/mod/forum/discuss.php?d=160910

https://www.bugzilla.org/security/3.2.8/

https://seclists.org/bugtraq/2010/Nov/48

Plugin Details

Severity: Medium

ID: 50495

File Name: yui_swf_xss.nasl

Version: 1.14

Type: remote

Published: 11/5/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Exploit Ease: No exploit is required

Patch Publication Date: 10/26/2010

Vulnerability Publication Date: 10/26/2010

Reference Information

CVE: CVE-2010-4207, CVE-2010-4208, CVE-2010-4209

BID: 44420

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990