GHSA-pp7m-6j83-m7r6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pp7m-6j83-m7r6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-pp7m-6j83-m7r6/GHSA-pp7m-6j83-m7r6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pp7m-6j83-m7r6
- Aliases
- Published
- 2021-08-10T16:09:36Z
- Modified
- 2025-01-08T10:41:40.546069Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site Scripting in video.js
- Details
-
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2021-08-02T18:36:58Z", "nvd_published_at": "2021-07-28T08:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23414
- https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
- https://github.com/videojs/video.js
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
- https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429
Affected packages
npm / video.js
Package
- Name
- video.js
- View open source insights on deps.dev
- Purl
- pkg:npm/video.js