CVE-2012-3414

NameCVE-2012-3414
DescriptionCross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs681323, 698934

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjs-swfupload (PTS)jessie2.2.0.1+ds1-2fixed
stretch2.2.0.1+ds2-1fixed
wordpress (PTS)jessie, jessie (lts)4.1.35+dfsg-0+deb8u1fixed
stretch (security), stretch (lts), stretch4.7.23+dfsg-0+deb9u1fixed
buster5.0.15+dfsg1-0+deb10u1fixed
buster (security)5.0.21+dfsg1-0+deb10u1fixed
bullseye (security), bullseye5.7.8+dfsg1-0+deb11u2fixed
bookworm6.1.1+dfsg1-1fixed
sid, trixie6.4.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-swfuploadsource(unstable)2.2.0.1+ds1-2low681323
wordpresssource(unstable)3.5.1+dfsg-1698934

Notes

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

Search for package or bug name: Reporting problems