VDE-2023-040
Last update
01.10.2025 12:00
Published at
29.08.2023 12:00
Vendor(s)
Festo SE & Co. KG
External ID
FSA-202301
CSAF Document
Summary
A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.
Impact
Affected Product(s)
Model no. | Product name | Affected versions |
---|---|---|
8167959, 8167960, 8167961, 8167962, 8167963, 8167964 | LX Appliance <June2023 | LX Appliance <June2023 |
Vulnerabilities
Expand / Collapse all
Published
06.10.2025 14:04
Severity
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
References
Remediation
Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.
Acknowledgments
Festo SE & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination and support with this publication (see https://certvde.com )
Revision History
Version | Date | Summary |
---|---|---|
1.0.0 | 29.08.2023 12:00 | Initial revision. |
1.0.1 | 01.10.2025 12:00 | Adjusted to VDE template. Changed title from "Video.js Cross-Site-Scripting (XSS) vulnerability in LX Appliance" to "Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance". |