{"id":"CVE-2021-23414","details":"This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.","aliases":["GHSA-pp7m-6j83-m7r6"],"modified":"2026-07-08T05:57:08.049256185Z","published":"2021-07-28T08:15:07.077Z","related":["SNYK-JAVA-ORGWEBJARSBOWER-1533588","SNYK-JAVA-ORGWEBJARSNPM-1533587","SNYK-JS-VIDEOJS-1533429"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"35"},{"last_affected":"35"},{"introduced":"36"},{"last_affected":"36"},{"introduced":"37"},{"last_affected":"37"}],"source":"CPE_STRING","vendor_product":"fedoraproject:fedora","cpes":["cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/"},{"type":"FIX","url":"https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/videojs/video.js","events":[{"introduced":"0"},{"fixed":"3777f9400bbe8b1e50243f4462c3bf252767e1bd"},{"fixed":"b3acf663641fca0f7a966525a72845af7ec5fab2"}],"database_specific":{"cpe":"cpe:2.3:a:videojs:video.js:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"7.14.3"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v7.14.2","v7.14.1","v7.14.0","v7.13.4","v7.13.3","v7.13.2","v7.13.1","v7.13.0","v7.12.4","v7.12.3","v7.12.2","v7.12.1","v7.12.0","v7.11.8","v7.11.7","v7.11.6","v7.11.5","v7.11.4","v7.11.3","v7.11.2","v7.11.1","v7.11.0","v7.10.2","v7.10.1","v7.10.0","v7.9.7","v7.9.6","v7.9.5","v7.9.4","v7.9.3","v7.9.2","v7.9.1","v7.9.0","v7.7.6","v7.8.1","v7.8.0","v7.7.5","v7.7.4","v7.7.3","v7.7.2","v7.7.1","v7.7.0","v7.6.4","v7.6.3","v7.6.2","v7.6.1","v7.6.0","v7.5.4","v7.5.3","v7.5.2","v7.5.1","v7.5.0","v7.4.1","v7.4.0","v7.3.0","v7.2.4","v7.2.3","v7.2.2","v7.2.1","v7.2.0","v7.1.0","v7.0.5","v7.0.4","v7.0.3","v7.0.2","v7.0.1","v7.0.0","v7.0.0-rc.1","v7.0.0-alpha.1","v6.8.0","v6.7.4","v6.7.3","v6.7.2","v6.7.1","v6.7.0","v6.6.3","v6.6.2","v6.6.1","v6.6.0","v6.5.2","v6.5.1","v6.5.0","v6.4.0","v6.3.3","v6.3.2","v6.3.1","v6.3.0","v6.2.8","v6.2.7","v6.2.6","v6.2.5","v6.2.4","v6.2.3","v6.2.2","v6.2.1","v6.2.0","v6.1.0","v6.0.1","v6.0.0","v6.0.0-RC.8","v6.0.0-RC.6","v6.0.0-RC.5","v6.0.0-RC.4","v6.0.0-RC.2","v6.0.0-RC.1","v6.0.0-RC.0","v4.12.15","v4.12.14","v4.12.13","v4.12.12","v4.12.11","v4.12.10","v4.12.9","v4.12.8","v4.12.7","v4.12.6","v4.12.5","v4.12.4","v4.12.3","v4.12.2","v4.12.1","v4.12.0","v4.11.0","v4.10.0","v4.9.0","v4.8.0","v4.7.1","v4.7.0","v4.6.0","v4.5.0","v4.4.1","v4.4.0","v0.4.4-alpha","v4.3.0","v4.2.0","v4.1.0","3.0r1","v3.0b","v2.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23414.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}