StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
Description
Summary
With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.
Details
The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the $this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.
PoC
A couple of examples across services `` Input: Renders: ... ``
Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}
Renders:
...
{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}
Impact
Under the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <= 4.0.0
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the video URL when placed inside a single-quoted data attribute allows an attacker to break out of the attribute value and inject arbitrary HTML event handlers."
Attack vector
An attacker with page-edit privileges supplies a video id or URL containing a single quote (e.g. `x' onmouseover='alert(document.domain)'`) to the `archiveorg`, `wistia`, or `sharepoint` service. When `$wgEmbedVideoRequireConsent` is enabled (the default), the unescaped payload is placed inside a single-quoted `data-mw-iframeconfig` attribute, breaking out of the attribute value and injecting arbitrary HTML event handlers into the `<figure>` element [ref_id=2]. The injected JavaScript executes in the wiki origin for every visitor with no user interaction required (e.g. via `autofocus`) [ref_id=3].
Affected code
The vulnerability resides in `includes/EmbedService/EmbedHtmlFormatter.php` where `sprintf` was used to build the `data-mw-iframeconfig` attribute with a single-quoted value, and in `includes/EmbedService/AbstractEmbedService.php` where `getIframeConfig()` returns JSON containing the unescaped URL. The `archiveorg`, `wistia`, and `sharepoint` service regexes permit single quotes in the id/URL. The patch rewrites `EmbedHtmlFormatter::toHtml()` and `makeConsentContainerHtml()` to use Mustache templates (`wrapper.mustache`, `consent-container.mustache`) and `Html::element()`/`Html::rawElement()` for proper escaping.
What the fix does
The patch replaces the `sprintf`-based HTML construction in `EmbedHtmlFormatter` with Mustache templates (`wrapper.mustache`, `consent-container.mustache`) and MediaWiki's `Html::element()` / `Html::rawElement()` helpers [patch_id=6640293]. These APIs automatically HTML-entity-encode attribute values, so a single quote in the URL becomes `'` and cannot break out of the `data-mw-iframeconfig` attribute. The `makeIframe()` method similarly switches from manual `sprintf` to `Html::element('iframe', $attributes)`, and `setDescriptionNoParse()` now calls `htmlspecialchars()` on the description.
Preconditions
- config$wgEmbedVideoRequireConsent must be enabled (the default)
- authAttacker must have permission to edit a wiki page
- inputThe video id or URL must contain a single quote character
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5c7p-g73q-rpg5ghsaADVISORY
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0ghsa
- github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5ghsa
News mentions
0No linked articles in our index yet.