Skip to content

Own HTML attributes when attaching a YouTube link to the post

Moderate
mesosoi published GHSA-62r9-4v3r-rw89 Dec 19, 2022

Package

post.php (SilverwareGames.io)

Affected versions

< 1.1.34

Patched versions

1.1.34

Description

Users can attach URLs to YouTube videos, the site will generate related <iframe> when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. onclick=alert("xss")) to the <iframe>.

It was fixed in the version 1.1.34 and does not require any extra actions from our members. There's no evidence that this vulnerability was used by anyone, too.

Severity

Moderate
5.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE ID

CVE-2022-23543