CVE-2021-23414 — MEDIUM (6.5)

Q: What is CVE-2021-23414?

CVE-2021-23414 is a vulnerability with a CVSS score of 6.5 (MEDIUM). This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

Q: How severe is CVE-2021-23414?

CVE-2021-23414 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23414?

Check the references section above for vendor advisories and patch information. Affected products include: Videojs Video.Js, Fedoraproject Fedora.

Vulnerability Description

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Videojs	Video.Js	< 7.14.3
Fedoraproject	Fedora	35

Related Weaknesses (CWE)

CWE-79

References

https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429ExploitThird Party Advisory
https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429ExploitThird Party Advisory

FAQ

What is CVE-2021-23414?

CVE-2021-23414 is a vulnerability with a CVSS score of 6.5 (MEDIUM). This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

How severe is CVE-2021-23414?

CVE-2021-23414 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23414?

Check the references section above for vendor advisories and patch information. Affected products include: Videojs Video.Js, Fedoraproject Fedora.