Description
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/03/17/1
Various Sources x_refsource_confirm
http://flash.flowplayer.org/documentation/version-history.html
Various Sources x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=256420
Issue Tracking x_refsource_confirm
https://github.com/flowplayer/flash/issues/121
Scores
EPSS
0.0026
EPSS Percentile
49.3%
Details
CWE
CWE-79
Status
published
Products (50)
flowplayer/flowplayer_flash
3.0.0
flowplayer/flowplayer_flash
3.0.1
flowplayer/flowplayer_flash
3.0.2
flowplayer/flowplayer_flash
3.0.3
flowplayer/flowplayer_flash
3.0.4
flowplayer/flowplayer_flash
3.0.5
flowplayer/flowplayer_flash
3.0.6
flowplayer/flowplayer_flash
3.1.0
flowplayer/flowplayer_flash
3.1.1
flowplayer/flowplayer_flash
3.1.2
... and 40 more
Published
Mar 24, 2014
Tracked Since
Feb 18, 2026