Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04Yzg1LTRycjUtY2hyNM4AA8Hd

Cross-site Scripting (XSS) in DemoBundle/ezdemo bundled VideoJS

This Security Advisory is about a vulnerability in VideoJS, which is bundled in DemoBundle and the ezdemo legacy extension. Older releases of VideoJS contain an XSS vulnerability in the Flash-based video player. This is bundled in DemoBundle, and in the Legacy "ezdemo" and "ezdemo-ls-extension" extensions. Among the branches still receiving security advisories, only eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 are affected. However, it may be possible to make this software work in newer branches, so please check whether you have it installed even if you're using eZ Platform 1.x or 2.x.

Because DemoBundle / ezdemo are only intended for demo purposes, they are not supported software. For that reason, and given the old age of the software, and manpower issues during the Coronavirus crisis, we are taking the unusual step of simply removing the affected file. This resolves the vulnerability, but also breaks the video playback feature. It may be possible to make it work again by upgrading to a current version of VideoJS, but it is unlikely that we will do this, given the reasons already mentioned.

Permalink: https://github.com/advisories/GHSA-8c85-4rr5-chr4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Yzg1LTRycjUtY2hyNM4AA8Hd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago

Identifiers: GHSA-8c85-4rr5-chr4
References:

• https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs
• https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/demobundle/2020-04-21-1.yaml
• https://web.archive.org/web/20201024034648/https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs
• https://github.com/advisories/GHSA-8c85-4rr5-chr4

Blast Radius: 0.0

Affected Packages