Closed mend-for-github-com[bot] closed 2 years ago
An HTML5 and Flash video player with a common API and skin for both.
Library home page: https://registry.npmjs.org/video.js/-/video.js-7.1.0.tgz
Dependency Hierarchy: - :x: **video.js-7.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: fbdf8372a96f7f26965d33fedec5089038e609dc
Found in base branch: master
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Publish Date: 2021-07-28
URL: CVE-2021-23414
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23414
Release Date: 2021-07-28
Fix Resolution: 7.14.3
CVE-2021-23414 - Medium Severity Vulnerability
An HTML5 and Flash video player with a common API and skin for both.
Library home page: https://registry.npmjs.org/video.js/-/video.js-7.1.0.tgz
Dependency Hierarchy: - :x: **video.js-7.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: fbdf8372a96f7f26965d33fedec5089038e609dc
Found in base branch: master
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Publish Date: 2021-07-28
URL: CVE-2021-23414
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23414
Release Date: 2021-07-28
Fix Resolution: 7.14.3