Post Mortem: SWF Vulnerability in YUI 2

By YUI TeamNovember 5th, 2012

The YUI team has discovered a security-related defect in certain self-hosted YUI 2 .swf files. This defect allows JavaScript injection exploits to be created against domains that host these affected .swf files, whether or not the .swf files are embedded in your application. Visit the security bulletin for full details about how to identify and replace the affected files.

If your site hosts a YUI 2 distribution between version 2.4.0 and 2.9.0 that includes these files, it is affected by this vulnerability.

If your site loads YUI 2 from Yahoo’s CDN (yui.yahooapis.com) or from Google’s CDN (ajax.googleapis.com), and the files are not hosted on your own domain, you are not affected. YUI 3 is not affected by this issue.

See the security bulletin for information about how to determine whether your site is affected, how to remedy the problem, and how to verify the fix.

Note: This vulnerability is also listed under CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883.

One Comment

  1. [...] on http://www.yuiblog.com Share this:TwitterFacebookLike this:LikeBe the first to like [...]