CVE-2016-4567 — Cross-site Scripting in Mediaelement

CWE-79 — Cross-site Scripting10 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

4.2%

top 11.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao-components Mediaelement Contao Core Mediaelementjs Mediaelement.js +1 more

Timeline

PublishedMay 22

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Packagistcontao-components/mediaelement2.14.2 — 2.21.1

▶NVDwordpress/wordpress4.5.1

▶NVDmediaelementjs/mediaelement.js2.20.1

▶Packagistcontao/core3.0.0 — 3.5.15

Patches

Patch: codex.wordpress.org ↗Patch: core.trac.wordpress.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

MediaElement Vulnerable to Reflected XSS↗2022-05-17

▶

OSV

MediaElement Vulnerable to Reflected XSS↗2022-05-17

▶

OSV

CVE-2016-4567: Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement↗2016-05-22

▶

CVEList

CVE-2016-4567: Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement↗2016-05-22

▶

📋Vendor Advisories

Debian

CVE-2016-4567: mediaelement - Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaE...↗2016

▶

💬Community

Bugzilla

flashmediaelement.swf XSS in qsurvey.mozilla.com↗2016-07-07

▶

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release↗2016-05-09

▶

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release [epel-all]↗2016-05-09

▶

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release [fedora-all]↗2016-05-09

▶