CVE-2013-4940 – yui

Package

Manager: npm
Name: yui
Vulnerable Version: >=3.0.0 <3.10.11 || =3.10.12 || >=3.10.12 <3.10.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00344 pctl0.56332

Details

YUI Cross-site Scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

Metadata

Created: 2022-05-13T01:12:54Z
Modified: 2025-04-12T03:24:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x5hj-47vv-53p8/GHSA-x5hj-47vv-53p8.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-x5hj-47vv-53p8
Finding: F008
Auto approve: 1