Description

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

Remediation

References

https://moodle.org/mod/forum/discuss.php?d=232496

http://yuilibrary.com/support/20130515-vulnerability/

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

Related Vulnerabilities

CVE-2019-10406 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10347 Vulnerability in maven package javagh.jenkins:mashup-portlets-plugin

CVE-2023-45818 Vulnerability in npm package tinymce

CVE-2018-1000195 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-41245 Vulnerability in maven package org.jenkins-ci.plugins:ws-execution-manager

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Patch