Topic: | XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 |
Severity: | Critical |
Versions affected: | < 1.9.10 |
Reported and coordinated by: | YUI development team |
Issue no.: | MDL-24808 |
Solution: | upgrade to Moodle 1.9.10 or replace the following vulnerable files as described in the linked YUI support document
/lib/yui/uploader/assets/uploader.swf /lib/yui/charts/assets/charts.swf |
Description:
Moodle 1.9.9 or older include YUI library 2.6.0 which is one of the vulnerable versions described in http://yuilibrary.com/support/2.8.2/, this makes all older versions of Moodle 1.9.x vulnerable.