oss-sec mailing list archives
CVE request: Flash based XSS in FileAPI.flash.swf
From: mala <mala () ma la>
Date: Sun, 13 Sep 2015 02:14:29 +0900
Hello, Please assign a CVE ID to this. FileAPI https://github.com/mailru/FileAPI - fixed in 2.0.15 https://github.com/mailru/FileAPI/releases/tag/2.0.15 - https://github.com/mailru/FileAPI/pull/342 summary: Cross-site scripting (XSS) vulnerability in FileAPI.flash.swf related to the "ExternalInterface.call" function. Arbitrary javascript code execution is possible on the domain hosting swf file. This is similar to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8992 https://github.com/mailru/FileAPI/pull/228 but another attack vector. Probably, all older versions are affected by XSS. At least mailru/FileAPI version 1.1.0 contains vulnerable code. references: major library that include FileAPI.flash.swf jquery.fileapi https://github.com/RubaXa/jquery.fileapi - fixed in 0.4.11 https://github.com/RubaXa/jquery.fileapi/releases/tag/0.4.11 ng-file-upload https://github.com/danialfarid/ng-file-upload - fixed in 7.1.0 https://github.com/danialfarid/ng-file-upload/releases/tag/7.1.0 - https://github.com/danialfarid/ng-file-upload/issues/997 and CMS/Web framework that uses jquery.fileapi, ng-file-upload https://github.com/search?l=json&q=jquery.fileapi&ref=searchresults&type=Code https://github.com/search?l=json&q=ng-file-upload&type=Code -- ma.la
Current thread:
- CVE request: Flash based XSS in FileAPI.flash.swf mala (Sep 12)