CVE-2016-4567

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

References

Affected packages

Git / github.com/mediaelement/mediaelement

Affected ranges

Type

GIT

Repo

https://github.com/mediaelement/mediaelement

Events

Introduced

Last affected

5c1c02c01ea583537312bd3f0eb6b5aa8376ae0e

Fixed

34834eef8ac830b9145df169ec22016a4350f06e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.20.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/wordpress/wordpress

Events

Introduced

Last affected

294c6ebe24e8ec284138545fc642bcdcff3adbb0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.1"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.12.0

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.16.2

2.16.3

2.16.4

2.17.0

2.18.0

2.18.1

2.18.2

2.19.0

2.20.0

2.20.1

4.*

4.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4567.json"