While this doesn't appear to directly result in a vulnerability in this module, the bundled YUI library is deprecated and has known vulnerabilities externally.

A RetireJS scan of this module turned up:
severity: high; CVE: CVE-2012-5882; http://www.cvedetails.com/cve/CVE-2012-5882/
severity: high; CVE: CVE-2012-5881; http://www.cvedetails.com/cve/CVE-2012-5881/
severity: medium; CVE: CVE-2010-4710; http://www.cvedetails.com/cve/CVE-2010-4710/
severity: high; CVE: CVE-2010-4208; http://www.cvedetails.com/cve/CVE-2010-4208/
severity: high; CVE: CVE-2010-4207; http://www.cvedetails.com/cve/CVE-2010-4207/

You can see this by:
1. Downloading this module package
2. Running RetireJS against the contents
3. Validating the results against the CVE database.

As OWASP A-9 "Using components with known vulnerabilities" is a real concern, this should probably get fixed, as the longer this legacy library sits there, the greater the chance that vulnerabilities arise.

Comments

geekamongus created an issue. See original summary.

hass’s picture

hass CreditAttribution: hass commented
Version: 7.x-1.17 » 7.x-1.x-dev
Category: Support request » Task

Only non-bundled .SWF files have issues.