| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 8167959 | LX Appliance | < June 2023 |
| 8167960 | LX Appliance | < June 2023 |
| 8167961 | LX Appliance | < June 2023 |
| 8167962 | LX Appliance | < June 2023 |
| 8167963 | LX Appliance | < June 2023 |
| 8167964 | LX Appliance | < June 2023 |
A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
Mitigation
Remediation
Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.
General recommendation
As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:
- Use LX Appliances only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate LX Appliances from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Limit the access to LX Appliances by physical means, operating system features, etc.
Festo strongly recommends minimizing and protect network access to LX Appliances with state-of-the-art techniques and processes.
CERT@VDE coordinated with Festo