CVE-2016-4567: MediaElement Vulnerable to Reflected XSS
(updated )
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by “jsinitfunctio%gn.”
References
- codex.wordpress.org/Version_4.5.2
- contao.org/en/news/contao-3_5_15.html
- core.trac.wordpress.org/changeset/37371
- gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
- github.com/FriendsOfPHP/security-advisories/blob/master/contao-components/mediaelement/CVE-2016-4567.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2016-4567.yaml
- github.com/advisories/GHSA-277w-qpxr-2549
- github.com/johndyer/mediaelement/blob/master/changelog.md
- github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
- github.com/mediaelement/mediaelement/blob/b992ccf5f0c04a207d98bbb0868420751a61ec90/changelog.md?plain=1
- github.com/mediaelement/mediaelement/blob/master/changelog.md
- github.com/mediaelement/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
- nvd.nist.gov/vuln/detail/CVE-2016-4567
- web.archive.org/web/20170205142412/http://www.securitytracker.com/id/1035818
- wordpress.org/news/2016/05/wordpress-4-5-2
- wpvulndb.com/vulnerabilities/8488
Code Behaviors & Features
Detect and mitigate CVE-2016-4567 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →