Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-002: XSS in third party library (SWFUpload)

Severity:
Medium (?)
Identifier:
SS-2014-002
Versions Affected:
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
3.0.9,3.1.3
Release Date:
2014-02-19

A third party JavaScript library (SWFUpload) is susceptible to cross-site scripting through its SWF interface (details). This library has been removed from core, mitigating this attack vector.

Download patch for 3.1 | Download patch for 3.0

Thanks to Marc Wickenden for reporting.