CVE-2025-59839
Description
The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.
CWE
- CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected
- StarCitizenWiki / mediawiki-extensions-EmbedVideo — v=<= 4.0.0 [affected]
CVSS
- 3.1 score=8.6 severity=HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
References
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-4j5h-mvj3-m48v x_refsource_CONFIRM
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/4e075d3dc9a15a3ee53f449a684d5ab847e52f01 x_refsource_MISC
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 x_refsource_MISC
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155 x_refsource_MISC
Source
cvelistV5-main/cves/2025/59xxx/CVE-2025-59839.json