Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

• http://www.plupload.com/punbb/viewtopic.php?pid=28690
• https://wordpress.org/news/2016/05/wordpress-4-5-2/
• http://www.openwall.com/lists/oss-security/2016/05/07/2
• https://codex.wordpress.org/Version_4.5.2
• https://core.trac.wordpress.org/changeset/37382/
• https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
• https://wpvulndb.com/vulnerabilities/8489
• http://www.securitytracker.com/id/1035818

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

• https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
• http://seclists.org/oss-sec/2014/q4/616
• http://bugs.jqueryui.com/ticket/6016
• http://seclists.org/oss-sec/2014/q4/613
• http://rhn.redhat.com/errata/RHSA-2015-0442.html
• http://www.debian.org/security/2015/dsa-3249
• http://www.securityfocus.com/bid/71106
• http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
• http://rhn.redhat.com/errata/RHSA-2015-1462.html
• http://www.securitytracker.com/id/1037035
• https://exchange.xforce.ibmcloud.com/vulnerabilities/98696
• https://security.netapp.com/advisory/ntap-20190416-0007/
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
• https://www.drupal.org/sa-core-2022-002
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.

• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664
• https://github.com/moxiecode/plupload/commit/d12175d4b5fa799b994ee1bb17bfbeec55b386fb
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2306665
• https://github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2306663
• https://snyk.io/vuln/SNYK-JS-PLUPLOAD-1583909