

CVE-2013-6780

WSO2 Products Impacted: No

Customers Actions Required: No

---

REPORTED VULNERABILITY

Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter.

REPORTED PRODUCTS

• WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0

WSO2 JUSTIFICATION

CVE-2013-6780 describes a Cross-Site Scripting (XSS) vulnerability in the uploader.swf file associated with the Yahoo YUI Uploader component, affecting versions 2.5.0 through 2.9.0. The vulnerability arises when malicious input is passed to the allowedDomain parameter of the Flash-based uploader component, which could result in the execution of arbitrary web script in the context of the victim’s browser¹. However, the identified vulnerability is not exploitable in WSO2 products due to the following reasons:

• WSO2 API Manager includes YUI as a front-end library within its Carbon Console, primarily for rendering UI elements such as menus, tabs, and dialog boxes. This inclusion is limited to the org.wso2.carbon.ui component. While the YUI library is present, the vulnerable uploader.swf file is not included, served, or referenced in any WSO2 API Manager product build or runtime distribution.

• The API Manager’s Carbon Console does not reference or embed the YAHOO.widget.Uploader class or any related Flash integration. All file uploads operate independently of YUI and do not rely on any Flash upload components. Hence, there is no invocation of vulnerable code in WSO2 Products

• Yahoo’s advisory to remove uploader.swf is satisfied by default in WSO2 distributions, as the vulnerrable file has never been packaged or distributed².

Given the above, WSO2 concludes that although YUI library present in the Carbon Console, the vulnerable functionality (uploader.swf) is not present, exposed, or used in above mentioned WSO2 Products. Therefore, CVE-2013-6780 does not apply to the listed versions of WSO2 Products, and no remediation or dependency upgrade is required in response to this CVE.

CONCLUSION

• The uploader.swf file is not present in any WSO2 API Manager distributions.
• The YUI Uploader component is not used or referenced within the Carbon Console for file upload related operations.

Therefore, WSO2 concludes that this is not a vulnerability present in aforementioned WSO2 products, and a dependency upgrade will not be carried out solely based on the detection of CVE-2013-6780.

REFERENCES

---

1. https://nvd.nist.gov/vuln/detail/CVE-2013-6780 ↩

2. https://yuilibrary.com/support/20131111-vulnerability/ ↩