php · starcitizenwiki/embedvideoCritical
starcitizenwiki/embedvideo: stored XSS via unsanitized service name
A stored XSS vulnerability was found in the EmbedVideo extension.
What changed
A stored XSS vulnerability was found in the EmbedVideo extension. Passing an unknown service name causes an error message to render the unsanitized service name as HTML, enabling arbitrary JavaScript/HTML injection.
Who it affects
All users of MediaWiki sites with the EmbedVideo extension installed, especially page editors.
What to do today
Update the EmbedVideo extension to a patched version or apply the fix that sanitizes the service name in error messages.
The trail
Collected→
Audited→
Written→
Published