SS-2014-002: XSS in third party library (SWFUpload)

Severity:
Moderate (?)
Identifier:
 
SS-2014-002
Versions Affected:
 
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
 
3.0.9,3.1.3
Release Date:
 
2014-02-19

A third party JavaScript library (SWFUpload) is susceptible to cross-site scripting through its SWF interface (details). This library has been removed from core, mitigating this attack vector.

Download patch for 3.1 | Download patch for 3.0

Thanks to Marc Wickenden for reporting.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.