A vulnerability in the YUI 2 Flash component infrastructure allows certain JavaScript injection exploits to be created against domains that host affected YUI .swf files. The YUI 2.8.2 release corrects this problem [1]. YUI is part of Moodle, and Moodle 1.9.10 includes the fixed YUI .swf files (MSA-10-0017 [2]). [1] http://yuilibrary.com/support/2.8.2/ [2] http://moodle.org/security/
Created moodle tracking bugs for this issue Affects: fedora-all [bug 646661]
This has been assigned the name CVE-2010-3866.
CVE-2010-3866 was rejected in favour of CVE-2010-4207, CVE-2010-4208, and CVE-2010-4209 as there are three issues here: Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4207 to the following vulnerability: Name: CVE-2010-4207 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4207 Assigned: 20101107 Reference: CONFIRM: http://moodle.org/mod/forum/discuss.php?d=160910 Reference: CONFIRM: http://www.bugzilla.org/security/3.2.8/ Reference: CONFIRM: http://yuilibrary.com/support/2.8.2/ Reference: SECUNIA:41955 Reference: URL: http://secunia.com/advisories/41955 Reference: VUPEN:ADV-2010-2878 Reference: URL: http://www.vupen.com/english/advisories/2010/2878 Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4208 to the following vulnerability: Name: CVE-2010-4208 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4208 Assigned: 20101107 Reference: CONFIRM: http://moodle.org/mod/forum/discuss.php?d=160910 Reference: CONFIRM: http://www.bugzilla.org/security/3.2.8/ Reference: CONFIRM: http://yuilibrary.com/support/2.8.2/ Reference: SECUNIA:41955 Reference: URL: http://secunia.com/advisories/41955 Reference: VUPEN:ADV-2010-2878 Reference: URL: http://www.vupen.com/english/advisories/2010/2878 Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4209 to the following vulnerability: Name: CVE-2010-4209 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4209 Assigned: 20101107 Reference: CONFIRM: http://www.bugzilla.org/security/3.2.8/ Reference: CONFIRM: http://yuilibrary.com/support/2.8.2/ Reference: SECUNIA:41955 Reference: URL: http://secunia.com/advisories/41955 Reference: VUPEN:ADV-2010-2878 Reference: URL: http://www.vupen.com/english/advisories/2010/2878 Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf.
Current Fedora 14/15 have 1.9.14. Current Fedora 16 has 2.0.5. Current rawhide and EPEL6 have 2.1.2.