CVE-2012-5882¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader.swf, a similar issue to CVE-2010-4208.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
WSO2 JUSTIFICATION¶
This vulnerability1 allows JavaScript injection exploits to be created against the domains that host affected YUI .swf files. However, the identified vulnerability is not exploitable in WSO2 products due to the following reasons:
-
WSO2 API Manager includes YUI as a front-end library within its Carbon Console, primarily for rendering UI elements such as menus, tabs, and dialog boxes. This inclusion is limited to the
org.wso2.carbon.uicomponent. Basically, WSO2 Products have integrated select YUI components to enhance the user interface features of the management console. While the YUI library is present, the vulnerableuploader.swffile is not included, served, or referenced in any WSO2 API Manager product build or runtime distribution. -
Yahoo’s advisory to remove
.swffiles is satisfied by default in WSO2 distributions, as the vulnerable file has never been packaged or distributed2.
CONCLUSION¶
Given the above, WSO2 concludes that although YUI library present in the Carbon Console, the vulnerable functionality (uploader.swf) is not present, exposed, or used in above mentioned WSO2 Products. Therefore, CVE-2012-5882 does not apply to the listed versions of WSO2 Products, and no remediation or dependency upgrade is required in response to this CVE.