Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance

VDE-2023-040

Last update

10/01/2025 12:00

Published at

08/29/2023 12:00

Vendor(s)

Festo SE & Co. KG

External ID

FSA-202301

CSAF Document

Download

Summary

A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.

Impact

Affected Product(s)

Model no.	Product name	Affected versions
8167959, 8167960, 8167961, 8167962, 8167963, 8167964	LX Appliance <June2023	LX Appliance <June2023

Vulnerabilities

Expand / Collapse all

Published

10/06/2025 14:04

Severity

6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

References

cve.org | nvd.nist.gov

Remediation

Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.

Acknowledgments

Festo SE & Co. KG thanks the following parties for their efforts:

CERT@VDE for coordination and support with this publication (see https://certvde.com )

Revision History

Version	Date	Summary
1.0.0	08/29/2023 12:00	Initial revision.
1.0.1	10/01/2025 12:00	Adjusted to VDE template. Changed title from "Video.js Cross-Site-Scripting (XSS) vulnerability in LX Appliance" to "Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance".

Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2021-23414 6.1

Remediation

Acknowledgments

Revision History