StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text
Description
Summary
When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML.
Details
There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactory#newFromName here. When the service name is not known, an exception is thrown with the service name injected into the message via sprintf here. This message is not sanitized and is marked as isHtml here. Similarly with {{evl: here.
PoC
// Must be on a page, not on ExpandTemplates
{{#ev:|dQw4w9WgXcQ}}
{{#evl:id=dummy|service=}}
Impact
Stored XSS that allows arbitrary Javascript/HTML insertion on any page that a user can edit. It requires no interaction and executes in the wiki origin for every visitor to the page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing sanitization of the service name parameter in error messages allows stored cross-site scripting (XSS)."
Attack vector
An attacker with page-editing privileges inserts a crafted `{{#ev:...}}` or `{{#evl:...}}` parser function call where the service name parameter contains an HTML/JavaScript payload (e.g. `<img src=x onerror=alert(document.domain)>`). Because the service name is not validated against the allowed list and is embedded unsanitized into an error message marked as HTML, the payload executes in the wiki origin for every visitor viewing the page. This is a stored cross-site scripting (XSS) attack that requires no user interaction beyond page load. [CWE-79]
Affected code
The vulnerability resides in `EmbedServiceFactory#newFromName` (switch statement at line 105) and the exception handling in `EmbedVideo.php` (lines 303–311 and 177–183). When an unknown service name is passed, an `InvalidArgumentException` is thrown with the unsanitized service name injected via `sprintf`; the resulting error message is then returned with `'isHTML' => true` without escaping.
What the fix does
The patch introduces a custom `EmbedVideoException` class that accepts a `string|HtmlArmor` message. The new `errorBoxHtml()` method uses `Html::element()` (which escapes all content) instead of building a raw HTML string. Exception messages are now wrapped in `HtmlArmor` via `EmbedVideoException::newWithHtml()`, and the output code calls `$e->getHtml()` instead of `$e->getMessage()`. This ensures that any user-supplied data in the error message is properly HTML-escaped before being rendered, closing the XSS vector. [patch_id=6633270]
Preconditions
- authAttacker must have edit permission on a wiki page
- configThe wiki must have the EmbedVideo extension installed and the parser functions enabled
- inputAttacker must supply a service name that is not in the hardcoded allowed list
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c29q-5xm7-5p62ghsaADVISORY
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/9215564bf28a0ceb40be550a55ab78efc0accc56ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-c29q-5xm7-5p62ghsa
News mentions
0No linked articles in our index yet.