CVE-2012-3414

NameCVE-2012-3414
DescriptionCross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs681323, 698934

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjs-swfupload (PTS)stretch2.2.0.1+ds2-1fixed
wordpress (PTS)stretch (security), stretch4.7.5+dfsg-2+deb9u6fixed
buster, buster (security)5.0.10+dfsg1-0+deb10u1fixed
bullseye, sid5.4.2+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-swfuploadsource(unstable)2.2.0.1+ds1-2low681323
wordpresssource(unstable)3.5.1+dfsg-1698934

Notes

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

Search for package or bug name: Reporting problems