Vulnerability Details : CVE-2010-4208
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2010-4208
Probability of exploitation activity in the next 30 days: 0.36%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 68 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-4208
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2010-4208
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-4208
-
http://www.vupen.com/english/advisories/2010/2878
Webmail | OVH- OVHVendor Advisory
-
http://www.vupen.com/english/advisories/2010/2975
Webmail | OVH- OVH
-
http://www.securityfocus.com/archive/1/514622
SecurityFocus
-
http://www.securitytracker.com/id?1024683
Bugzilla Permits Cross-Site Scripting and HTTP Response Splitting Attacks and Discloses Certain Information to Remote Users - SecurityTracker
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html
[SECURITY] Fedora 13 Update: bugzilla-3.4.9-1.fc13
-
http://yuilibrary.com/support/2.8.2/
YUI Security BulletinPatch;Vendor Advisory
-
http://www.bugzilla.org/security/3.2.8/
3.2.8, 3.4.8, 3.6.2, and 3.7.3 Security Advisory :: Bugzilla :: bugzilla.orgVendor Advisory
-
http://www.securityfocus.com/bid/44420
YUI Multiple Cross Site Scripting Vulnerabilities
-
http://www.openwall.com/lists/oss-security/2010/11/07/1
oss-security - Re: CVE request: moodle 1.9.10
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html
[SECURITY] Fedora 14 Update: bugzilla-3.6.3-1.fc14
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html
[SECURITY] Fedora 12 Update: bugzilla-3.4.9-1.fc12
-
http://moodle.org/mod/forum/discuss.php?d=160910
Moodle.org: MSA-10-0017: XSS vulnerability in YUI 2.4.0 through YUI 2.8.1
-
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:021
Products affected by CVE-2010-4208
- cpe:2.3:a:yahoo:yui:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.1:*:*:*:*:*:*:*