CVE-2022-23543

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-23543

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23543.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-23543

Aliases

GHSA-62r9-4v3r-rw89

Published

2022-12-19T21:30:09.836Z

Modified

2026-03-14T11:34:01.546248Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

HTML attributes when attaching a YouTube link to the post

Details

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related <iframe> when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. onclick=alert("xss")) to the <iframe>'. This issue was fixed in the version1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23543.json",
    "cwe_ids": [
        "CWE-80"
    ]
}

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23543.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.1.34"
            }
        ]
    }
]