GHSA-7h5p-637f-jfr7HighCVSS 8.6
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
🔗 CVE IDs covered (1)
📋 Description
Summary
The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.
Details
The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.
$template = <<<HTML
<figure class="%s" data-service="%s" %s %s>
<div class="embedvideo-wrapper" %s>%s%s%s</div>%s
</figure>
HTML;
PoC
Note the double quote immediately following the single quote to escape the class attribute in the template:
<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube>
Impact
Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.
🎯 Affected products1
- composer/starcitizenwiki/embedvideo:<= 4.0.0
🔗 References (4)
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0
- https://github.com/advisories/GHSA-7h5p-637f-jfr7