SS-2014-002: XSS in third party library (SWFUpload)
- Severity:
- Medium (?)
- Identifier:
- SS-2014-002
- Versions Affected:
- 3.0.8, 3.1.2 and all earlier versions
- Versions Fixed:
- 3.0.9,3.1.3
- Release Date:
- 2014-02-19
A third party JavaScript library (SWFUpload) is susceptible to cross-site scripting through its SWF interface (details). This library has been removed from core, mitigating this attack vector.
Download patch for 3.1 | Download patch for 3.0
Thanks to Marc Wickenden for reporting.
