GHSA-277w-qpxr-2549
Suggest an improvement- Source
- https://github.com/advisories/GHSA-277w-qpxr-2549
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-277w-qpxr-2549/GHSA-277w-qpxr-2549.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-277w-qpxr-2549
- Aliases
- Published
- 2022-05-17T03:35:09Z
- Modified
- 2024-04-25T21:57:34.247548Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- MediaElement Vulnerable to Reflected XSS
- Details
-
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
- Database specific
{ "nvd_published_at": "2016-05-22T01:59:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-25T21:38:55Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-4567
- https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
- https://github.com/mediaelement/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
- https://codex.wordpress.org/Version_4.5.2
- https://contao.org/en/news/contao-3_5_15.html
- https://core.trac.wordpress.org/changeset/37371
- https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao-components/mediaelement/CVE-2016-4567.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2016-4567.yaml
- https://github.com/johndyer/mediaelement/blob/master/changelog.md
- https://github.com/mediaelement/mediaelement/blob/b992ccf5f0c04a207d98bbb0868420751a61ec90/changelog.md?plain=1#L1024
- https://github.com/mediaelement/mediaelement/blob/master/changelog.md
- https://web.archive.org/web/20170205142412/http://www.securitytracker.com/id/1035818
- https://wordpress.org/news/2016/05/wordpress-4-5-2
- https://wpvulndb.com/vulnerabilities/8488
- http://www.openwall.com/lists/oss-security/2016/05/07/2
- http://www.securitytracker.com/id/1035818
Affected packages
npm / mediaelement
Package
- Name
- mediaelement
- View open source insights on deps.dev
- Purl
- pkg:npm/mediaelement
Packagist / contao-components/mediaelement
Package
- Name
- contao-components/mediaelement
- Purl
- pkg:composer/contao-components/mediaelement
Packagist / contao/core
Package
- Name
- contao/core
- Purl
- pkg:composer/contao/core
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.beta1
3.1.RC1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.2.beta1
3.2.beta2
3.2.RC1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.2.15
3.2.16
3.2.17
3.2.18
3.2.19
3.2.20
3.2.21
3.3.0-beta1
3.3.0-RC1
3.3.0-RC2
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.4.0-beta1
3.4.0-RC1
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.5.0-beta1
3.5.0-RC1
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.14