Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcTlxLTZwNDItcXByN84AA8Hc
Cross-site Scripting (XSS) in DemoBundle/ezdemo bundled VideoJS
his Security Advisory is about a vulnerability in VideoJS, which is bundled in DemoBundle and the ezdemo legacy extension. Older releases of VideoJS contain an XSS vulnerability in the Flash-based video player. This is bundled in DemoBundle, and in the Legacy "ezdemo" and "ezdemo-ls-extension" extensions. Among the branches still receiving security advisories, only eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 are affected. However, it may be possible to make this software work in newer branches, so please check whether you have it installed even if you're using eZ Platform 1.x or 2.x.
Because DemoBundle / ezdemo are only intended for demo purposes, they are not supported software. For that reason, and given the old age of the software, and manpower issues during the Coronavirus crisis, we are taking the unusual step of simply removing the affected file. This resolves the vulnerability, but also breaks the video playback feature. It may be possible to make it work again by upgrading to a current version of VideoJS, but it is unlikely that we will do this, given the reasons already mentioned.
Permalink: https://github.com/advisories/GHSA-jq9q-6p42-qpr7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcTlxLTZwNDItcXByN84AA8Hc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-jq9q-6p42-qpr7
References:
- https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs
- https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezdemo-ls-extension/2020-04-21-1.yaml
- https://web.archive.org/web/20201024034648/https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs
- https://github.com/advisories/GHSA-jq9q-6p42-qpr7
Affected Packages
packagist:ezsystems/ezdemo-ls-extension
Dependent packages: 5Dependent repositories: 34
Downloads: 403,690 total
Affected Version Ranges: >= 5.4.0, < 5.4.2.1
Fixed in: 5.4.2.1
All affected versions: 5.4.0, 5.4.1, 5.4.2
All unaffected versions: 5.3.0, 5.3.1, 5.3.2, 5.3.5