CVE-2022-4876 LOW

CVE-2022-4876: Kaltura mwEmbed DefaultSettings.php cross site scripting

Vendor Kaltura

Product mwEmbed

Weakness CWE-79 · XSS

Published January 4, 2023

Last update May 28, 2025

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A vulnerability was found in Kaltura mwEmbed up to 2.96.rc1 and classified as problematic. This issue affects some unknown processing of the file includes/DefaultSettings.php. The manipulation of the argument HTTP_X_FORWARDED_HOST leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.96.rc2 is able to address this issue. The patch is named 13b8812ebc8c9fa034eed91ab35ba8423a528c0b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217427.

Key dates

02Disclosure timeline

January 4, 2023 CVE published

May 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-4876 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-68538 WordPress Craft | Coffee Shop Cafe Restaurant WordPress theme <= 2.3.6 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-64260 WordPress ANAC XML Bandi di Gara plugin <= 7.7 - Cross Site Scripting (XSS) vulnerability CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component CVE-2026-4088 Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-13733 SKT Blocks – Gutenberg based Page Builder <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting