Vulnerability Details : CVE-2010-4209
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2010-4209
Probability of exploitation activity in the next 30 days: 0.33%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-4209
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2010-4209
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-4209
-
http://www.vupen.com/english/advisories/2010/2878
Webmail | OVH- OVHVendor Advisory
-
http://www.vupen.com/english/advisories/2010/2975
Webmail | OVH- OVH
-
http://www.securityfocus.com/archive/1/514622
SecurityFocus
-
http://www.securitytracker.com/id?1024683
Bugzilla Permits Cross-Site Scripting and HTTP Response Splitting Attacks and Discloses Certain Information to Remote Users - SecurityTracker
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html
[SECURITY] Fedora 13 Update: bugzilla-3.4.9-1.fc13
-
http://yuilibrary.com/support/2.8.2/
YUI Security BulletinPatch;Vendor Advisory
-
http://www.bugzilla.org/security/3.2.8/
3.2.8, 3.4.8, 3.6.2, and 3.7.3 Security Advisory :: Bugzilla :: bugzilla.org
-
http://www.securityfocus.com/bid/44420
YUI Multiple Cross Site Scripting Vulnerabilities
-
http://www.openwall.com/lists/oss-security/2010/11/07/1
oss-security - Re: CVE request: moodle 1.9.10
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html
[SECURITY] Fedora 14 Update: bugzilla-3.6.3-1.fc14
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html
[SECURITY] Fedora 12 Update: bugzilla-3.4.9-1.fc12
-
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:021
Products affected by CVE-2010-4209
- cpe:2.3:a:yahoo:yui:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.1:*:*:*:*:*:*:*