Description
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Remediation
References
https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429
Related Vulnerabilities
CVE-2022-29161 Vulnerability in maven package org.xwiki.platform:xwiki-platform-crypto
CVE-2023-46119 Vulnerability in npm package parse-server
CVE-2021-3803 Vulnerability in npm package nth-check
CVE-2022-36031 Vulnerability in npm package directus
CVE-2022-36092 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore