CVE-2021-23414

Опубликовано: 28 июл. 2021

Источник: nvd

CVSS3: 6.5

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

Ссылки

https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429
Exploit
Third Party Advisory
https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:videojs:video.js:*:*:*:*:*:node.js:*:*

Версия до 7.14.3 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.00437

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-pp7m-6j83-m7r6

CVSS3: 6.5

github

больше 4 лет назад

Cross-site Scripting in video.js

EPSS

Процентиль: 63%

0.00437

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79