Unrated severityNVD Advisory· Published Apr 2, 2013· Updated Apr 29, 2026

CVE-2013-1808

Description

Cross-site scripting (XSS) vulnerability in ZeroClipboard.swf and ZeroClipboard10.swf in ZeroClipboard before 1.0.8, as used in em-shorty, RepRapCalculator, Fulcrum, Django, aCMS, and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this is might be the same vulnerability as CVE-2013-1463. If so, it is likely that CVE-2013-1463 will be REJECTed.

Affected products

Zeroclipboard Project/Zeroclipboard2 versions
cpe:2.3:a:zeroclipboard_project:zeroclipboard:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:zeroclipboard_project:zeroclipboard:*:*:*:*:*:*:*:*range: <=1.0.7
- cpe:2.3:a:zeroclipboard_project:zeroclipboard:1.0.5:*:*:*:*:*:*:*

Patches

a0e02933f5f7

escape fix becuse XSS risk like

https://github.com/jonrohan/ZeroClipboardKingfoMay 28, 2012via osv

commit

1 file changed · +1 −1

ZeroClipboard.as+1 −1 modified

@@ -28,7 +28,7 @@
 			// import flashvars
 			var flashvars:Object = LoaderInfo( this.root.loaderInfo ).parameters;
 			id = flashvars.id;
-			
+			id = id.split("\\").join("\\\\");
 			// invisible button covers entire stage
 			button = new Sprite();
 			button.buttonMode = true;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000