Description
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Recommendation
Update the video.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.14.3
- Patched version(s): 7.14.3
References
- GHSA-pp7m-6j83-m7r6
- snyk.io
- lists.fedoraproject.org
- CVE-2021-23414
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-site Scripting in jquery-ui - CVE-2010-5312
- nuxt Code Injection vulnerability - CVE-2023-3224
- QooxDoo XSS in Callback Parameter - CVE-2011-1714
- Denial of Service in ipfs-bitswap - Vulnerability
- Tags:
- npm
- video.js
Anything's wrong? Let us know Last updated on February 01, 2023