GHSA-7h5p-637f-jfr7
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
Details
### Summary The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.
### Details The template [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/EmbedHtmlFormatter.php#L138) adds a figure with a class that is substituted in. This value is provided to sprintf [here](https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/a573a16d925ee0ea0d34b360856dc8ab0b88f822/includes/EmbedService/EmbedHtmlFormatter.php#L156), an unescaped version of the class supplied by the user.
``` $template = <<<HTML <figure class="%s" data-service="%s" %s %s> <div class="embedvideo-wrapper" %s>%s%s%s</div>%s </figure> HTML; ```
### PoC Note the double quote immediately following the single quote to escape the class attribute in the template: ``` <youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube> ```
### Impact Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.1.0 composer require starcitizenwiki/embedvideo:^4.1.0 References
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-7h5p-637f-jfr7 [WEB]
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84 [WEB]
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo [PACKAGE]
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0 [WEB]