DescriptionCross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs693608, 694641

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icinga-web (PTS)jessie1.11.2+dfsg1-1fixed
yui3 (PTS)sid, jessie3.5.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
yui3source(unstable)(not affected)


[squeeze] - yui <no-dsa> (Minor issue, Flash not build from source in oldstable)

Search for package or bug name: Reporting problems