Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yNzd3LXFweHItMjU0Oc4AAc12

MediaElement Vulnerable to Reflected XSS

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

Permalink: https://github.com/advisories/GHSA-277w-qpxr-2549
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNzd3LXFweHItMjU0Oc4AAc12
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 23 days ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-277w-qpxr-2549, CVE-2016-4567
References:

Repository: https://github.com/johndyer/mediaelement
Blast Radius: 32.3

Affected Packages

packagist:contao/core

Dependent packages: 943
Dependent repositories: 566
Downloads: 49,788 total
Affected Version Ranges: >= 3.0.0, < 3.5.15
Fixed in: 3.5.15
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14
All unaffected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.11.17, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.22, 3.5.23, 3.5.24, 3.5.25, 3.5.26, 3.5.27, 3.5.28, 3.5.29, 3.5.30, 3.5.31, 3.5.32, 3.5.33, 3.5.34, 3.5.35, 3.5.36, 3.5.37, 3.5.38, 3.5.39, 3.5.40

packagist:contao-components/mediaelement

Dependent packages: 4
Dependent repositories: 22
Downloads: 346,129 total
Affected Version Ranges: >= 2.14.2, < 2.21.1
Fixed in: 2.21.1
All affected versions: 2.14.2, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.17.0, 2.18.0, 2.18.1, 2.18.2, 2.19.0, 2.20.0, 2.20.1, 2.21.0
All unaffected versions: 2.21.1, 2.21.2, 2.22.0, 2.22.1, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.23.4, 2.23.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14

npm:mediaelement

Dependent packages: 48
Dependent repositories: 344
Downloads: 45,190 last month
Affected Version Ranges: < 2.11.1
Fixed in: 2.11.1
All affected versions:
All unaffected versions: 2.17.0, 2.18.2, 2.21.0, 2.21.1, 2.21.2, 2.22.0, 2.22.1, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.23.4, 2.23.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.12, 4.2.14, 4.2.15, 4.2.16, 4.2.17, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5