CVE-2021-23414
Cross-site Scripting (XSS) vulnerability in video.js (npm)
What is CVE-2021-23414 About?
This vulnerability is a Cross-site Scripting (XSS) issue affecting the 'video.js' package before version 7.14.3. It allows attackers to bypass HTML escaping via the 'src' attribute of a track tag, leading to arbitrary code execution. Exploitation requires control over the 'src' attribute input.
Affected Software
Technical Details
The vulnerability in 'video.js' (versions prior to 7.14.3) stems from an insufficient HTML escaping mechanism when processing the 'src' attribute within a <track> HTML tag. An attacker can embed malicious JavaScript code within this 'src' attribute. When the track element is rendered or processed by 'video.js' within the browser, the malicious script is executed, bypassing the intended HTML sanitization filters. This leads to a client-side Cross-site Scripting (XSS) attack, allowing the attacker to perform actions such as session hijacking, defacement, or redirection.
What is the Impact of CVE-2021-23414?
Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2021-23414?
Exploitation is of low to medium complexity, depending on the attacker's ability to control the 'src' attribute of a track tag. This typically occurs in scenarios where user-supplied content, such as video metadata or captions, is not properly sanitized before being used to construct or populate track tags. No specific authentication or privilege is required beyond influencing the input for the 'src' attribute. It is a remote vulnerability, allowing an attacker to deliver a malicious payload through a crafted webpage or content. Special conditions include the 'video.js' player being used to display videos with attacker-controlled track data. Risk factors increase if the application allows untrusted users to upload or modify video content and its associated metadata.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23414?
Available Upgrade Options
- video.js
- <7.14.3 → Upgrade to 7.14.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/
- https://nvd.nist.gov/vuln/detail/CVE-2021-23414
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2
- https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
- https://osv.dev/vulnerability/GHSA-pp7m-6j83-m7r6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB
- https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/
What are Similar Vulnerabilities to CVE-2021-23414?
Similar Vulnerabilities: CVE-2023-23913 , CVE-2020-36599 , CVE-2015-9284 , CVE-2019-1002010 , CVE-2017-0904
