Search for packages
| purl | pkg:npm/yui@3.6.0pr1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1e39-62g9-j7d2
Aliases: CVE-2013-4939 GHSA-mj87-8xf8-fp4w |
Cross-Site Scripting in yui Affected versions of `yui` are vulnerable to cross-site scripting in the `uploader.swf` and `io.swf` utilities, via script injection in the url. ## Recommendation YUI has published their recommendation to fix this issue. Their recommendation is to: - Delete self-hosted copies of these files if you are not using them - Use the Yahoo! CDN hosted files - Use the patched files provided on the YUI Library [here](https://yuilibrary.com/support/20130515-vulnerability/#resolution). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-hexy-ppcc-mubc
Aliases: CVE-2013-4942 GHSA-9ww8-j8j2-3788 |
YUI Cross-site Scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |
Affected by 2 other vulnerabilities. |
|
VCID-t85p-u6ky-zbbn
Aliases: CVE-2013-4941 GHSA-64r3-582j-frqm |
YUI Cross-site Scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |
Affected by 2 other vulnerabilities. |
|
VCID-wksm-3eed-kqg9
Aliases: CVE-2013-4940 GHSA-x5hj-47vv-53p8 |
YUI Cross-site Scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:16:19.866870+00:00 | GitLab Importer | Affected by | VCID-wksm-3eed-kqg9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/yui/CVE-2013-4940.yml | 37.0.0 |
| 2025-07-03T18:15:51.176100+00:00 | GitLab Importer | Affected by | VCID-t85p-u6ky-zbbn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/yui/CVE-2013-4941.yml | 37.0.0 |
| 2025-07-03T18:15:42.958727+00:00 | GitLab Importer | Affected by | VCID-hexy-ppcc-mubc | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/yui/CVE-2013-4942.yml | 37.0.0 |
| 2025-07-03T17:12:16.718779+00:00 | GitLab Importer | Affected by | VCID-1e39-62g9-j7d2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/yui/CVE-2013-4939.yml | 37.0.0 |