Description
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Recommendation
Update the video.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.14.3
- Patched version(s): 7.14.3
References
- GHSA-pp7m-6j83-m7r6
- snyk.io
- lists.fedoraproject.org
- CVE-2021-23414
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- textAngular Cross-site Scripting vulnerability - CVE-2021-32854
- Vditor Cross-site Scripting vulnerability - CVE-2021-32855
- Cross-site Scripting in quill - CVE-2021-3163
- Cross-site Scripting in pekeupload - CVE-2021-23673
You might also like:
- Tags:
- npm
- video.js
Anything's wrong? Let us know Last updated on February 01, 2023


