Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-23414

Good to know:

icon
icon

Date: July 28, 2021

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

Language: JS

Severity Score

Related Resources (10)

https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
https://github.com/videojs/video.js
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2
https://nvd.nist.gov/vuln/detail/CVE-2021-23414
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/
https://www.mend.io/vulnerability-database/CVE-2021-23414

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version videojs/video.js - v7.14.3;videojs/video.js - dev-fix/hide-menu-button-on-click;videojs/video.js - dev-chore/update-playbackrates-docs;videojs/video.js - dev-feat-add-svg-icons;videojs/video.js - dev-enhanced-logger;videojs/video.js - v2.0.3;videojs/video.js - dev-rollback-remark;videojs/video.js - dev-fix/timeToolTip;videojs/video.js - dev-karma-browserstack-test;videojs/video.js - dev-private-bind;videojs/video.js - 7.x-dev;videojs/video.js - dev-chore/faster-test-watch;videojs/video.js - dev-feat/improve-smarttv-scrubbing;videojs/video.js - dev-fix/captions-old-chrome;videojs/video.js - dev-feat/screen-orientation;videojs/video.js - dev-netlify-ci-demo;videojs/video.js - v5.0.0-1;videojs/video.js - dev-fix/spatial-navigation-focus-lost;videojs/video.js - dev-replay-fix;videojs/video.js - v5.9.0-1;video.js - 5.9.0-0;video.js - 7.14.3;lochmueller/html5videoplayer - 7.2.0;lochmueller/html5videoplayer - 7.2.3;ibexa/experience-skeleton - v3.3.3;ibexa/commerce-skeleton - v3.3.3;ibexa/content-skeleton - v3.3.3;org.webjars.bower:video.js:6.7.3;org.webjars.bower:video.js:5.10.7;org.webjars.bower:video-js:5.7.1;org.webjars.bower:video-js:5.12.6;org.webjars.npm:github-com-videojs-video-js:8.17.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us