CVE-2013-4940 — YUI Cross-site Scripting (XSS) vulnerability

Description

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

How to fix CVE-2013-4940

To remediate CVE-2013-4940, upgrade the affected package to a fixed version below.

npm/yui—upgrade to 3.10.11 or later
—upgrade to 2.2.11 or later

Is CVE-2013-4940 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.0.0, < 3.10.11
from 0, < 2.2.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4940
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678
WEBmoodle.org/mod/forum/discuss.php?d=232496
WEBweb.archive.org/web/20130909203912/http://yuilibrary.com/support/20130515-vulnerability