Moderate severityNVD Advisory· Published Nov 16, 2012· Updated Apr 29, 2026
CVE-2012-5881
CVE-2012-5881
Description
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yui2npm | >= 2.4.0, <= 2.9.0 | — |
Affected products
14cpe:2.3:a:yahoo:yui:2.4.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:yahoo:yui:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.1:pr1:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.9.0:pr2:*:*:*:*:*:*
- cpe:2.3:a:yahoo:yui:2.9.0:pr4:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- yuilibrary.com/support/20121030-vulnerability/nvdPatch
- www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/nvdVendor Advisory
- github.com/advisories/GHSA-jjg9-mf63-vqrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5881ghsaADVISORY
- www.securityfocus.com/bid/56385nvdWEB
- www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2ghsaWEB
- www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2ghsaWEB
- yuilibrary.com/support/20121030-vulnerabilityghsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/80118nvdWEB
- www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/nvd
News mentions
0No linked articles in our index yet.