samus-aran
commented
8 years ago Thanks for bringing that to our attention :+1:
Closed chadbennett closed 8 years ago
samus-aran
commented
8 years ago Thanks for bringing that to our attention :+1:
Issue
Multiple XSS Vulnerabilities in Yahoo YUI component & YUI IO Utility.
Possible Fix
Update Yahoo YUI Library. Delete YUI 2.x or Patch vulnerabile files
Steps to Reproduce
See the following URLS
1./include/javascript/yui/build/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert(document.domain);}// 2./include/javascript/yui/build/uploader/assets/uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}// 3./include/javascript/yui3/build/io/io.swf?yid=\"));}catch(e){alert(document.domain);}//
Context
High Priority fix as this affects all installs and can be exploited
https://bugzilla.mozilla.org/show_bug.cgi?id=606523 http://yuilibrary.com/support/20131111-vulnerability/ https://vuldb.com/?id.55383 https://www.acunetix.com/vulnerabilities/web/yui-uploader-swf-cross-site-scripting http://miladbr.blogspot.com/2013/06/flash-based-xss-in-yahoo-mail.html http://yuilibrary.com/yui/docs/io/ http://yuilibrary.com/