CVE-2012-5881 — Cross-site scripting in yui 2.4.0

Description

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207.

How to fix CVE-2012-5881

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/yui2—no fix listed

Is CVE-2012-5881 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.4.0, <= 2.9.0

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-5881
WEBexchange.xforce.ibmcloud.com/vulnerabilities/80118
WEBwww.securityfocus.com/bid/56385
WEBwww.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2