CVE-2012-5883
Bugzilla 3.7.x-4.0.8, 4.1.x-4.2.3, 4.3.x-4.4rc1 - Cross-Site Scripting via YUI Flash Component
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209.
References (8)
Core 8
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=808845
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Various Sources x_refsource_confirm
http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
Various Sources x_refsource_confirm
http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
Issue Tracking x_refsource_confirm
http://www.bugzilla.org/security/3.6.11/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/56385
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/80116
Patch, Vendor Advisory x_refsource_confirm
http://yuilibrary.com/support/20121030-vulnerability/
Scores
EPSS
0.0210
EPSS Percentile
79.6%
Details
CWE
CWE-79
Status
published
Products (29)
mozilla/bugzilla
3.7
mozilla/bugzilla
3.7.1
mozilla/bugzilla
3.7.2
mozilla/bugzilla
3.7.3
mozilla/bugzilla
4.0 (3 CPE variants)
mozilla/bugzilla
4.0.1
mozilla/bugzilla
4.0.2
mozilla/bugzilla
4.0.3
mozilla/bugzilla
4.0.4
mozilla/bugzilla
4.0.5
... and 19 more
Published
Nov 16, 2012
Tracked Since
Feb 18, 2026