Description

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

Remediation

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

http://yuilibrary.com/support/20130515-vulnerability/

https://moodle.org/mod/forum/discuss.php?d=232496

Related Vulnerabilities

CVE-2022-2564 Vulnerability in npm package mongoose

CVE-2015-7499 Vulnerability in npm package libxmljs

CVE-2022-41244 Vulnerability in maven package org.jenkins-ci.plugins:view26

CVE-2022-42125 Vulnerability in maven package com.liferay.portal:com.liferay.portal.impl

CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-core

Severity

Critical

Classification

CWE-79

Tags

Patch Vendor Advisory