php · starcitizenwiki/embedvideoCritical
starcitizenwiki/embedvideo: HTML/JavaScript injection via malformed video URLs
A security vulnerability in the EmbedVideo extension allows malformed video URLs or IDs to escape the data-mw-iframeconfig attribute via single quotes, enabling
What changed
A security vulnerability in the EmbedVideo extension allows malformed video URLs or IDs to escape the data-mw-iframeconfig attribute via single quotes, enabling HTML/JavaScript injection.
Who it affects
Any user able to edit a page on a wiki with $wgEmbedVideoRequireConsent enabled (default) can inject arbitrary JavaScript that executes in the wiki origin for all visitors.
What to do today
Update the EmbedVideo extension to a patched version or apply the fix from the advisory immediately.
The trail
Collected→
Audited→
Written→
Published