php · starcitizenwiki/embedvideoCritical
starcitizenwiki/embedvideo: Unescaped class parameter allows XSS
The user-supplied class value is directly interpolated into an HTML template via sprintf without escaping, enabling injection of arbitrary HTML and JavaScript.
What changed
The user-supplied class value is directly interpolated into an HTML template via sprintf without escaping, enabling injection of arbitrary HTML and JavaScript.
Who it affects
All users of the StarCitizenWiki EmbedVideo extension for MediaWiki, particularly those with user-generated content.
What to do today
Update the extension to a patched version or apply a fix that escapes the class parameter before passing it to sprintf.
The trail
Collected→
Audited→
Written→
Published