Back to overview

Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance

VDE-2023-040
Last update
10/01/2025 12:00
Published at
08/29/2023 12:00
Vendor(s)
Festo SE & Co. KG
External ID
FSA-202301
CSAF Document

Summary

A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.

Impact

Affected Product(s)

Model no. Product name Affected versions
8167959, 8167960, 8167961, 8167962, 8167963, 8167964 LX Appliance <June2023 LX Appliance <June2023

Vulnerabilities

Expand / Collapse all

Published
10/06/2025 14:04
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

References

Remediation

Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.

Acknowledgments

Festo SE & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 08/29/2023 12:00 Initial revision.
1.0.1 10/01/2025 12:00 Adjusted to VDE template. Changed title from "Video.js Cross-Site-Scripting (XSS) vulnerability in LX Appliance" to "Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance".