8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59839

GHSA ID

GHSA-4j5h-mvj3-m48v

EPSS Score

0.11845%

CWE

CWE-79

Published

9/24/2025

Updated

9/24/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59839

CVE-2025-59839: Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

Summary

The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext.

Details

The attributes of an iframe are populated with the value of an unreserved data attribute (data-iframeconfig) that can be set via wikitext: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 Similar code is also present here: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155

It is possible to execute JS through attributes like onload or onmouseenter.

PoC

Create a page with the following contents:

<div class="embedvideo-evl" data-iframeconfig='{"onload": "alert(1)"}'>Click me!</div>
<evlplayer></evlplayer>

Click on the "Click me!" text
Click on the "Load video" button below <img width="855" height="404" alt="image" src="https://github.com/user-attachments/assets/afb3839a-012c-4e90-a208-a6137b704ccd" />

Impact

Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-59839

CVE-2025-59839:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59839

GHSA ID

GHSA-4j5h-mvj3-m48v

EPSS Score

0.11845%

CWE

CWE-79

Published

9/24/2025

Updated

9/24/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starcitizenwiki/embedvideo	composer	<= 4.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the EmbedVideo MediaWiki extension. The root cause is the use of the data-iframeconfig HTML attribute, which could be manipulated by users through wikitext. An attacker could embed a malicious JSON payload in this attribute, specifying JavaScript event handlers like onload.

The vulnerability is triggered in a two-step process:

Storage (Server-Side): The PHP functions EmbedHtmlFormatter::toHtml and EmbedVideo::parseEVL were responsible for generating the HTML for the embedded video player. They would create elements containing the data-iframeconfig attribute, allowing the attacker's payload to be stored on the wiki page.
Execution (Client-Side): When a user interacts with the embedded video element (e.g., by clicking a link), a JavaScript event handler (an anonymous function in ext.embedVideo.videolink.js) reads the malicious payload from the data-iframeconfig attribute. This payload is then passed to the makeIframe function in iframe.js. The makeIframe function dynamically creates an <iframe> and sets its attributes directly from the provided payload, causing the malicious JavaScript (e.g., the onload handler) to be executed in the context of the user's browser.

The patch addresses the vulnerability by renaming data-iframeconfig to data-mw-iframeconfig. Attributes prefixed with data-mw- are reserved for MediaWiki's internal use and are sanitized, preventing users from setting them via wikitext. This breaks the chain of attack by preventing the initial storage of the malicious payload.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-59839: Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

Summary

Details

PoC

Impact

CVE-2025-59839:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.6

8.6

Technical Details

CVE-2025-59839: Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI