May 15, 2013 -- A security vulnerability was discovered in several YUI .swf files. This vulnerability impacts all versions of YUI from YUI 3.0.0 through 3.10.0. Please read this bulletin carefully and take note of the instructions to remove this vulnerability from your own implementations.
Note: This issue resurfaced in 3.10.2 for io.swf only. Please follow the same steps to remove the vulnerability.
Note: This vulnerability is also listed under CVE-2013-4939, CVE-2013-4940, CVE-2013-4941, and CVE-2013-4942.
Aleksandr Dobkin and Sebastian Roschke of the Google Security Team recently found XSS vectors in .swf files used in the IO Utility and Uploader components. A carefully constructed URL accessing these .swf files directly could cause them to execute JavaScript in the context of the hosted .swf files and potentially expose cookies or other sensitive information from the hosted site.
The YUI team has taken steps to remove this vulnerability from our CDN, hosted .zip files, and npm packages by replacing the affected .swf files with patched ones that do not allow arbitrary strings to be passed in and executed in the manner that the vulnerability exposes.
If you are hosting these .swffiles but are not using them, simply delete the .swf files to resolve the vulnerability.
If you load these assets from the Yahoo! CDN, we have already patched all vulnerable files, and no further action is necessary.
If you host and use this functionality, refer to the table below for information on downloading replacements for the affected files. Make sure you scan all your hosts for all versions of these files.
| Version | Replacement File | Old MD5 | Patched MD5 |
| 3.0.0 | io.swf | 7f22020ec768608f2620681547e5cfbc | c0aeb2d9ce51f404e792890578e2c71f |
| 3.1.0 | io.swf | 528990efbd93fb7a9f7890a81ff94dd0 | b846bd01ce0946ac023811f8f81a1783 |
| 3.1.1 | io.swf | 528990efbd93fb7a9f7890a81ff94dd0 | b846bd01ce0946ac023811f8f81a1783 |
| 3.1.2 | io.swf | eb6777f7fa9048ef2347d8210787896f | b846bd01ce0946ac023811f8f81a1783 |
| 3.2.0 | io.swf | c3491bb3c6863c5b05f5168adfd064d7 | 023ba0ef89ba692ddc472e24def72c60 |
| 3.2.0 | uploader.swf | 7efdb06c1b588ed4878d7f24b366fac4 | f9bb520229719fd4f138918826ea0bbf |
| 3.3.0 | io.swf | c3491bb3c6863c5b05f5168adfd064d7 | 023ba0ef89ba692ddc472e24def72c60 |
| 3.3.0 | uploader.swf | 7efdb06c1b588ed4878d7f24b366fac4 | f9bb520229719fd4f138918826ea0bbf |
| 3.4.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.4.0 | uploader.swf | 7efdb06c1b588ed4878d7f24b366fac4 | f9bb520229719fd4f138918826ea0bbf |
| 3.4.1 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.4.1 | uploader.swf | 7efdb06c1b588ed4878d7f24b366fac4 | f9bb520229719fd4f138918826ea0bbf |
| 3.5.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.5.0 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.5.0 | flashuploader.swf | e5d39fad451c70719dfda99f4ee39991 | 86c183e8ddd33b7012d033eaec52755d |
| 3.5.1 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.5.1 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.5.1 | flashuploader.swf | e5d39fad451c70719dfda99f4ee39991 | 86c183e8ddd33b7012d033eaec52755d |
| 3.6.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.6.0 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.6.0 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.7.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.7.0 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.7.0 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.7.1 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.7.1 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.7.1 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.7.2 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.7.2 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.7.2 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.7.3 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.7.3 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.7.3 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.8.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.8.0 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.8.0 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.8.1 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.8.1 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.8.1 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.9.0 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.9.0 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.9.0 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.9.1 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | ef4d5f86272e90e21a158882ecbd481b |
| 3.9.1 | uploader.swf | aa54944e0e4293c9c4efc4201b107136 | c566c5fec625f482ebfeb05f891657a9 |
| 3.9.1 | flashuploader.swf | b706cb01446002126f80c541a2fa62c0 | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.10.0 | io.swf | n/a - no vulnerability | ef4d5f86272e90e21a158882ecbd481b |
| 3.10.0 | flashuploader.swf | n/a - no vulnerability | 6b214e93a4082ea689bcd23dbd34c4bd |
| 3.10.1 | io.swf | n/a - no vulnerability | 445cb13e3ca4dabe551a57b2bd072754 |
| 3.10.1 | flashuploader.swf | n/a - no vulnerability | 6120a2df95072f29491d7cdb3a8aea32 |
| 3.10.2 | io.swf | 1e642bb8a5105dc429f8f3979ac559c4 | 445cb13e3ca4dabe551a57b2bd072754 |
| 3.10.2 | flashuploader.swf | n/a - no vulnerability | 6120a2df95072f29491d7cdb3a8aea32 |
Our Security and YUI page has information about how to contact us for security-related issues.