Description
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Recommendation
Update the video.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.14.3
- Patched version(s): 7.14.3
References
- GHSA-pp7m-6j83-m7r6
- snyk.io
- lists.fedoraproject.org
- CVE-2021-23414
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Options structure open to Cross-site Scripting if passed unfiltered - CVE-2021-29489
- Cross-site Scripting in curly-bracket-parser - CVE-2021-23416
- Cross-site Scripting in file-upload-with-preview - CVE-2021-23439
- Cross-site Scripting in Mermaid - CVE-2021-35513
- Tags:
- npm
- video.js
Anything's wrong? Let us know Last updated on February 01, 2023