MidnightBSD

Advisories for yahoo

CVE-2000-0047 MEDIUM

Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo pager 733
CVE-2002-0031 MEDIUM

Buffer overflows in Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary code via a ymsgr URI with long arguments to (1) call, (2) sendim, (3) getimv, (4) chat, (5) addview, or (6) addfriend.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-0032 HIGH

Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary script as other users via the addview parameter of a ymsgr URI.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-0320 HIGH

Buffer overflow in Yahoo! Messenger 5.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long (1) message or (2) IMvironment field.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-0321 MEDIUM

Yahoo! Messenger 5.0 allows remote attackers to spoof other users by modifying the username and using the spoofed username for social engineering or denial of service (flooding) attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-0322 HIGH

Yahoo! Messenger 4.0 sends user passwords in cleartext, which could allow remote attackers to gain privileges of other users via sniffing.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 4.0
CVE-2002-1664 MEDIUM

Yahoo! Messenger before February 2002 allows remote attackers to add arbitrary users to another user's buddy list and possibly obtain sensitive information.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-1665 HIGH

Buffer overflow in Yahoo! Messenger before February 2002 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long set_buddygrp field.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.0
CVE-2002-2361 MEDIUM

The installer in Yahoo! Messenger 4.0, 5.0 and 5.5 does not verify package signatures which could allow remote attackers to install trojan programs via DNS spoofing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
yahoo messenger 4.0
yahoo messenger 5.0
yahoo messenger 5.5
CVE-2003-1129 LOW

Buffer overflow in the Yahoo! Audio Conferencing (aka Voice Chat) ActiveX control before 1,0,0,45 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a URL with a long hostname to Yahoo! Messenger or Yahoo! Chat.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo audio_conferencing_activex_control 1.0.0.43
CVE-2003-1135 LOW

Buffer overflow in Yahoo! Messenger 5.6 allows remote attackers to cause a denial of service (crash) via a file send request (sendfile) with a large number of "%" (percent) characters after the Yahoo ID.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 5.6
CVE-2004-0043 HIGH

Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger *
CVE-2005-0242 MEDIUM

The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 6.0
yahoo messenger 6.0.0.1750
yahoo messenger 5.6.0.1351
yahoo messenger 5.6
yahoo messenger 5.5
CVE-2005-0243 MEDIUM

Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 6.0
yahoo messenger 6.0.0.1750
yahoo messenger 5.6.0.1351
yahoo messenger 5.6
yahoo messenger 5.5
CVE-2005-0737 HIGH

Buffer overflow in Yahoo! Messenger allows remote attackers to execute arbitrary code via the offline mode.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 6.0
yahoo messenger 5.6.0.1347
yahoo messenger 4.0
yahoo messenger 5.6.0.1356
yahoo messenger 5.6.0.1358
yahoo messenger 5.0
yahoo messenger 5.6
yahoo messenger 5.0.1065
yahoo messenger 5.5
yahoo messenger 6.0.0.1921
yahoo messenger 5.5.1249
yahoo messenger 6.0.0.1750
yahoo messenger 5.6.0.1355
yahoo messenger 5.0.1232
yahoo messenger 5.0.1046
yahoo messenger 6.0.0.1643
yahoo messenger 5.6.0.1351
CVE-2005-1618 MEDIUM

The YMSGR URL handler in Yahoo! Messenger 5.x through 6.0 allows remote attackers to cause a denial of service (disconnect) via a room login or a room join request packet with a third : (colon) and an & (ampersand), which causes Messenger to send a corrupted packet to the server, which triggers a disconnect from the server.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 6.0
yahoo messenger 5.6
yahoo messenger 5.5
CVE-2005-1671 LOW

The Logfile feature in Yahoo! Messenger 5.x through 6.0 can be activated by a YMSGR: URL and writes all output to a single ypager.log file, even when there are multiple users, and does not properly warn later users that the feature has been enabled, which allows local users to obtain sensitive information from other users.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 6.0
yahoo messenger 5.6.0.1351
yahoo messenger 5.6
yahoo messenger 5.5
CVE-2006-3298 MEDIUM

Yahoo! Messenger 7.5.0.814 and 7.0.438 allows remote attackers to cause a denial of service (crash) via messages that contain non-ASCII characters, which triggers the crash in jscript.dll.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo messenger 7.0.438
yahoo messenger 7.5.0.814
CVE-2007-2385 MEDIUM

The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yahoo ui_library *
CVE-2010-4207 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.7.0
yahoo yui 2.5.0
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.6.0
yahoo yui 2.5.1
yahoo yui 2.4.0
CVE-2010-4208 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.7.0
yahoo yui 2.5.0
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.6.0
yahoo yui 2.5.1
CVE-2010-4209 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.8.1
yahoo yui 2.8.0
CVE-2010-4710 MEDIUM

Cross-site scripting (XSS) vulnerability in the addItem method in the Menu widget in YUI before 2.9.0 allows remote attackers to inject arbitrary web script or HTML via a field that is added to a menu, related to documentation that specifies this field as a text field rather than an HTML field, a similar issue to CVE-2010-4569 and CVE-2010-4570.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.2.0
yahoo yui 2.5.0
yahoo yui *
yahoo yui 2.4.1
yahoo yui 2.3.0
yahoo yui 2.6.0
yahoo yui 2.4.0
yahoo yui 2.2.2
yahoo yui 2.7.0
yahoo yui 2.3.1
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.5.1
CVE-2012-0268 MEDIUM

Integer overflow in the CYImage::LoadJPG method in YImage.dll in Yahoo! Messenger before 11.5.0.155, when photo sharing is enabled, might allow remote attackers to execute arbitrary code via a crafted JPG image that triggers a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
yahoo messenger 9.0.0.2018
yahoo messenger 7.0.438
yahoo messenger 8.0.0.505
yahoo messenger 9.0.0.1389
yahoo messenger 7.5
yahoo messenger 8.1.0.239
yahoo messenger 10.0.0.331
yahoo messenger 9.0.0.2034
yahoo messenger 10.0.0.1264
yahoo messenger 10.0.0.1267
yahoo messenger 8.1.0.416
yahoo messenger 5.6.0.1356
yahoo messenger 5.6
yahoo messenger 7.0.0.426
yahoo messenger 4.1
yahoo messenger 9.0.0.2123
yahoo messenger 5.5.1249
yahoo messenger 6.0.0.1750
yahoo messenger 8.1.0.401
yahoo messenger 8.1.0.413
yahoo messenger 9.0.0.2160
yahoo messenger 8.0_2005.1.1.4
yahoo messenger 11.0.0.2014
yahoo messenger *
yahoo messenger 8.1.0.421
yahoo messenger 10.0.0.525
yahoo messenger 5.6.0.1347
yahoo messenger 8.1.0.195
yahoo messenger 7.0.0.437
yahoo messenger 5.0.1065
yahoo messenger 9.0.0.797
yahoo messenger 6.0.0.1921
yahoo messenger 1.0.4
yahoo messenger 10.0.0.542
yahoo messenger 10.0.0.1241
yahoo messenger 0.99.17-1
yahoo messenger 2.0.1.4
yahoo messenger 5.6.0.1351
yahoo messenger 9.0.0.2112
yahoo messenger 8.1.0.419
yahoo messenger 7.0
yahoo messenger 8.0.0.508
yahoo messenger 10.0.0.1102
yahoo messenger 9.0.0.2136
yahoo messenger 11.0.0.1751
yahoo messenger 9.0.0.907
yahoo messenger 4.0
yahoo messenger 8.0
yahoo messenger 5.6.0.1358
yahoo messenger 9.0.0.2161
yahoo messenger 5.0
yahoo messenger 1.0
yahoo messenger 5.5
yahoo messenger 8.0.0.701
yahoo messenger 9.0.0.2128
yahoo messenger 6.1
yahoo messenger 5.0.1046
yahoo messenger 9.0.0.922
yahoo messenger 10.0.0.1258
yahoo messenger 6.0
yahoo messenger 8.0.0.716
yahoo messenger 8.1.0.402
yahoo messenger 10.0.0.1270
yahoo messenger 3.0
yahoo messenger 3.5
yahoo messenger 8.1
yahoo messenger 3.0.1
yahoo messenger 8.0.0.863
yahoo messenger 8.0.1
yahoo messenger 1.0.6
yahoo messenger 8.1.0.209
yahoo messenger 11.0.0.2009
yahoo messenger 9.0.0.2162
yahoo messenger 5.6.0.1355
yahoo messenger 5.0.1232
yahoo messenger 6.0.0.1643
yahoo messenger 9.0.0.2152
yahoo messenger 7.5.0.814
yahoo messenger 9.0.0.1912
yahoo messenger 8.1.0.249
yahoo messenger 8.1.0.244
yahoo messenger 9.0.0.2133
CVE-2012-2645 MEDIUM

The Yahoo! Japan Yahoo! Browser application 1.2.0 and earlier for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
yahoo yahoo!_browser *
CVE-2012-5881 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.9.0
yahoo yui 2.7.0
yahoo yui 2.5.0
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.8.2
yahoo yui 2.4.1
yahoo yui 2.6.0
yahoo yui 2.5.1
yahoo yui 2.4.0
CVE-2012-5882 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader.swf, a similar issue to CVE-2010-4208.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.9.0
yahoo yui 2.7.0
yahoo yui 2.5.0
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.8.2
yahoo yui 2.4.1
yahoo yui 2.6.0
yahoo yui 2.5.1
yahoo yui 2.4.0
CVE-2012-5883 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mozilla bugzilla 4.0.6
yahoo yui 2.9.0
mozilla bugzilla 4.0.8
mozilla bugzilla 3.7.3
mozilla bugzilla 4.0.1
mozilla bugzilla 4.1
mozilla bugzilla 4.3.2
mozilla bugzilla 4.0.3
mozilla bugzilla 4.3.1
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.8.2
mozilla bugzilla 4.0.2
mozilla bugzilla 4.0.5
mozilla bugzilla 4.3.3
mozilla bugzilla 4.0
mozilla bugzilla 4.2.1
mozilla bugzilla 4.3
mozilla bugzilla 4.1.3
mozilla bugzilla 4.0.4
mozilla bugzilla 4.2.2
mozilla bugzilla 4.1.2
mozilla bugzilla 4.2
mozilla bugzilla 4.1.1
mozilla bugzilla 4.2.3
mozilla bugzilla 3.7.2
mozilla bugzilla 4.0.7
mozilla bugzilla 3.7
mozilla bugzilla 3.7.1
CVE-2013-2307 MEDIUM

The Yahoo! Browser application before 1.4.3 for Android allows remote attackers to spoof the address bar via a crafted web site.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
yahoo yahoo!_browser 1.2.0
yahoo yahoo!_browser *
CVE-2013-2316 MEDIUM

The Yahoo! Browser application 1.4.4 and earlier for Android allows remote attackers to spoof the address bar via vectors related to URL display, a different vulnerability than CVE-2013-2307.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
yahoo yahoo!_browser 1.2.0
yahoo yahoo!_browser 1.4.2
yahoo yahoo!_browser 1.4.4
yahoo yahoo!_browser *
CVE-2013-4699 MEDIUM

The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
yahoo yafuoku! *
CVE-2013-4700 MEDIUM

The Yahoo! Japan Shopping application 1.4 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
yahoo japan_shopping *
CVE-2013-4873 MEDIUM

The Yahoo! Tumblr app before 3.4.1 for iOS sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
yahoo tumblr *
CVE-2013-4939 MEDIUM

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.2.3
yahoo yui 3.10.0
moodle moodle 2.1.6
yahoo yui 3.10.1
moodle moodle 2.1.2
moodle moodle 2.2.6
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.1.5
moodle moodle 2.2.0
yahoo yui 3.4.0
moodle moodle 2.4.2
moodle moodle 2.1.3
moodle moodle 2.2.7
yahoo yui 3.1.1
yahoo yui 3.0.0
yahoo yui 3.5.1
moodle moodle 2.1.9
moodle moodle 2.2.1
yahoo yui 3.8.0
moodle moodle 2.2.10
moodle moodle 2.4.3
moodle moodle 2.1.8
yahoo yui 3.6.0
moodle moodle 2.3.4
moodle moodle 2.1.4
moodle moodle 2.1.10
moodle moodle 2.4.4
moodle moodle 2.1.7
moodle moodle 2.2.4
yahoo yui 3.9.1
moodle moodle 2.4.1
yahoo yui 3.7.2
yahoo yui 3.9.0
moodle moodle 2.5.0
yahoo yui 3.1.2
moodle moodle 2.2.5
yahoo yui 3.7.0
moodle moodle 2.1.0
moodle moodle 2.1.1
moodle moodle 2.2.9
moodle moodle 2.2.2
moodle moodle 2.2.8
yahoo yui 3.8.1
yahoo yui 3.7.3
yahoo yui 3.1.0
yahoo yui 3.5.0
yahoo yui 3.3.0
yahoo yui 3.7.1
yahoo yui 3.10.2
moodle moodle 2.3.6
moodle moodle 2.3.7
moodle moodle 2.3.1
moodle moodle 2.3.2
moodle moodle 2.3.3
yahoo yui 3.4.1
moodle moodle 2.3.0
yahoo yui 3.2.0
CVE-2013-4940 MEDIUM

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.2.3
yahoo yui 3.10.0
moodle moodle 2.1.6
yahoo yui 3.10.1
moodle moodle 2.1.2
moodle moodle 2.2.6
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.1.5
moodle moodle 2.2.0
yahoo yui 3.4.0
moodle moodle 2.4.2
moodle moodle 2.1.3
moodle moodle 2.2.7
yahoo yui 3.1.1
yahoo yui 3.0.0
yahoo yui 3.5.1
moodle moodle 2.1.9
moodle moodle 2.2.1
yahoo yui 3.8.0
moodle moodle 2.2.10
moodle moodle 2.4.3
moodle moodle 2.1.8
yahoo yui 3.6.0
moodle moodle 2.3.4
moodle moodle 2.1.4
moodle moodle 2.1.10
moodle moodle 2.4.4
moodle moodle 2.1.7
moodle moodle 2.2.4
yahoo yui 3.9.1
moodle moodle 2.4.1
yahoo yui 3.7.2
yahoo yui 3.9.0
moodle moodle 2.5.0
yahoo yui 3.1.2
moodle moodle 2.2.5
yahoo yui 3.7.0
moodle moodle 2.1.0
moodle moodle 2.1.1
moodle moodle 2.2.9
moodle moodle 2.2.2
moodle moodle 2.2.8
yahoo yui 3.8.1
yahoo yui 3.7.3
yahoo yui 3.1.0
yahoo yui 3.5.0
yahoo yui 3.3.0
yahoo yui 3.7.1
yahoo yui 3.10.2
moodle moodle 2.3.6
moodle moodle 2.3.7
moodle moodle 2.3.1
moodle moodle 2.3.2
moodle moodle 2.3.3
yahoo yui 3.4.1
moodle moodle 2.3.0
yahoo yui 3.2.0
CVE-2013-4941 MEDIUM

Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.2.3
yahoo yui 3.10.0
moodle moodle 2.1.6
yahoo yui 3.10.1
moodle moodle 2.1.2
moodle moodle 2.2.6
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.1.5
moodle moodle 2.2.0
yahoo yui 3.4.0
moodle moodle 2.4.2
moodle moodle 2.1.3
moodle moodle 2.2.7
yahoo yui 3.1.1
yahoo yui 3.0.0
yahoo yui 3.5.1
moodle moodle 2.1.9
moodle moodle 2.2.1
yahoo yui 3.8.0
moodle moodle 2.2.10
moodle moodle 2.4.3
moodle moodle 2.1.8
yahoo yui 3.6.0
moodle moodle 2.3.4
moodle moodle 2.1.4
moodle moodle 2.1.10
moodle moodle 2.4.4
moodle moodle 2.1.7
moodle moodle 2.2.4
yahoo yui 3.9.1
moodle moodle 2.4.1
yahoo yui 3.7.2
yahoo yui 3.9.0
moodle moodle 2.5.0
yahoo yui 3.1.2
moodle moodle 2.2.5
yahoo yui 3.7.0
moodle moodle 2.1.0
moodle moodle 2.1.1
moodle moodle 2.2.9
moodle moodle 2.2.2
moodle moodle 2.2.8
yahoo yui 3.8.1
yahoo yui 3.7.3
yahoo yui 3.1.0
yahoo yui 3.5.0
yahoo yui 3.3.0
yahoo yui 3.7.1
yahoo yui 3.10.2
moodle moodle 2.3.6
moodle moodle 2.3.7
moodle moodle 2.3.1
moodle moodle 2.3.2
moodle moodle 2.3.3
yahoo yui 3.4.1
moodle moodle 2.3.0
yahoo yui 3.2.0
CVE-2013-4942 MEDIUM

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.2.3
yahoo yui 3.10.0
moodle moodle 2.1.6
yahoo yui 3.10.1
moodle moodle 2.1.2
moodle moodle 2.2.6
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.1.5
moodle moodle 2.2.0
moodle moodle 2.4.2
moodle moodle 2.1.3
moodle moodle 2.2.7
yahoo yui 3.5.1
moodle moodle 2.1.9
moodle moodle 2.2.1
yahoo yui 3.8.0
moodle moodle 2.2.10
moodle moodle 2.4.3
moodle moodle 2.1.8
yahoo yui 3.6.0
moodle moodle 2.3.4
moodle moodle 2.1.4
moodle moodle 2.1.10
moodle moodle 2.4.4
moodle moodle 2.1.7
moodle moodle 2.2.4
yahoo yui 3.9.1
moodle moodle 2.4.1
yahoo yui 3.7.2
yahoo yui 3.9.0
moodle moodle 2.5.0
moodle moodle 2.2.5
yahoo yui 3.7.0
moodle moodle 2.1.0
moodle moodle 2.1.1
moodle moodle 2.2.9
moodle moodle 2.2.2
moodle moodle 2.2.8
yahoo yui 3.8.1
yahoo yui 3.7.3
yahoo yui 3.5.0
yahoo yui 3.7.1
yahoo yui 3.10.2
moodle moodle 2.3.6
moodle moodle 2.3.7
moodle moodle 2.3.1
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.3.0
CVE-2013-6780 MEDIUM

Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo yui 2.9.0
yahoo yui 2.7.0
yahoo yui 2.5.0
yahoo yui 2.5.2
yahoo yui 2.8.1
yahoo yui 2.8.0
yahoo yui 2.8.2
yahoo yui 2.6.0
yahoo yui 2.5.1
CVE-2013-6853 MEDIUM

Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
yahoo toolbar 2.5.9.2013418100420
yahoo toolbar 3.1.0.20130813024103
CVE-2014-5881 MEDIUM

The Yahoo! Japan Box (aka jp.co.yahoo.android.ybox) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
yahoo yahoo_ybox 1.5.1
CVE-2014-7216 HIGH

Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in an emoticons.xml file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
yahoo messenger *
CVE-2017-2253 HIGH

Untrusted search path vulnerability in Installer of Yahoo! Toolbar (for Internet explorer) v8.0.0.6 and earlier, with its timestamp prior to June 13, 2017, 18:18:55 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-426,

Products Affected

Vendor Product Version
yahoo toolbar *
CVE-2019-6035 MEDIUM

Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
yahoo athenz *
CVE-2026-34043

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
yahoo serialize *