Skip to content
This repository has been archived by the owner on Aug 30, 2020. It is now read-only.

YouTube Embed Vulnerability #13

Open
heyjoeway opened this issue Jun 19, 2020 · 1 comment
Open

YouTube Embed Vulnerability #13

heyjoeway opened this issue Jun 19, 2020 · 1 comment

Comments

@heyjoeway
Copy link
Owner

BonziWORLD/src/www/js/bonzi.es2015

Line 432 in 7630411

src="https://www.youtube.com/embed/${vid}?autoplay=1"

Because of the way YouTube embeds are handled it is possible to escape the current HTML tag and inject arbitrary HTML/JS.
@thebehhbehhman
Copy link

Fixed in BonziWORLD Revived. Script kiddies were abusing this vulnerability by making a "virus" to harm others.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@heyjoeway @thebehhbehhman