CVE-2022-4876 is a cross-site scripting (XSS) vulnerability identified in Kaltura's mwEmbed component, specifically affecting versions up to 2.96.rc1. The vulnerability arises due to improper handling of the HTTP_X_FORWARDED_HOST header within the includes/DefaultSettings.php file. An attacker can manipulate this HTTP header to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability is classified under CWE-79, indicating that it is a reflected or stored XSS flaw. Exploitation requires the attacker to craft a malicious HTTP request with a manipulated HTTP_X_FORWARDED_HOST header and trick a user into visiting a specially crafted URL or interacting with the affected application. The vulnerability does not require authentication but does require user interaction (e.g., clicking a link). The CVSS v3.1 base score is 3.5, reflecting a low severity primarily due to the limited impact on confidentiality and availability, and the need for user interaction. The issue has been addressed in version 2.96.rc2 of mwEmbed, with a patch identified by commit 13b8812ebc8c9fa034eed91ab35ba8423a528c0b. No known exploits have been reported in the wild to date.

For European organizations using Kaltura mwEmbed version 2.96.rc1 or earlier, this vulnerability presents a risk of client-side script injection, which can lead to session hijacking, defacement, or redirection to malicious sites. While the direct impact on server confidentiality and availability is minimal, the exploitation can undermine user trust and potentially facilitate further attacks such as phishing or credential theft. Organizations in sectors with high reliance on video content delivery, such as media, education, and corporate communications, may face reputational damage if exploited. Additionally, regulatory frameworks like GDPR emphasize protecting user data and preventing unauthorized access, so even low-severity vulnerabilities that lead to user data compromise or phishing could have compliance implications. The requirement for user interaction limits the attack vector but does not eliminate risk, especially in environments where users may be less security-aware.

European organizations should prioritize upgrading Kaltura mwEmbed to version 2.96.rc2 or later to apply the official patch. If immediate upgrade is not feasible, implementing web application firewall (WAF) rules to sanitize or block suspicious HTTP_X_FORWARDED_HOST header values can reduce exposure. Additionally, organizations should conduct security awareness training to educate users about the risks of clicking unknown or suspicious links. Regular security assessments and penetration testing focusing on input validation and header manipulation can help identify similar vulnerabilities. Monitoring web server logs for unusual HTTP_X_FORWARDED_HOST header values may provide early detection of attempted exploitation. Finally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting the execution of unauthorized scripts in browsers.