GHSA-4j5h-mvj3-m48v

Опубликовано: 24 сент. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.6

Описание

Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

Summary

The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext.

Details

The attributes of an iframe are populated with the value of an unreserved data attribute (data-iframeconfig) that can be set via wikitext: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 Similar code is also present here: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155

It is possible to execute JS through attributes like onload or onmouseenter.

PoC

Create a page with the following contents:

<div class="embedvideo-evl" data-iframeconfig='{"onload": "alert(1)"}'>Click me!</div> <evlplayer></evlplayer>

Click on the "Click me!" text
Click on the "Load video" button below

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

Ссылки

Пакеты

Наименование

starcitizenwiki/embedvideo

composer

Затронутые версииВерсия исправления

<= 4.0.0

Отсутствует

EPSS

Процентиль: 19%

0.00062

Низкий

8.6 High

CVSS3

CVE ID

CVE-2025-59839

Дефекты

CWE-79

Связанные уязвимости

CVE-2025-59839

CVSS3: 8.6

nvd

4 месяца назад

The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.

EPSS

Процентиль: 19%

0.00062

Низкий

8.6 High

CVSS3

CVE ID

CVE-2025-59839

Дефекты

CWE-79