XSS in Nokia - MediaElements component

Here I present a (reported and fixed) Flash-based XSS vulnerability I discovered in r.nokia.com, which required no user interaction.

PoC URL:

http://r.nokia.com/s/6.0/assets/js/flashmediaelement.swf?debug=true&file=x%22});alert(1);//&autoplay=true

This is a well known vulnerability with MediaElement.js, that has been patched last year from version 2.11.2 (see CVE-2013-1967, GitHub patch commit).

Running version on r.nokia.com used to be 2.9.1, as could be seen in:

http://r.nokia.com/s/6.0/assets/js/mediaelement-and-player.js

( mejs.version="2.9.1"; )

Screenshot using the Chrome debugger:

Screenshot of the XSS vulnerability triggered

Screenshot of the XSS vulnerability triggered