FSA-202301
Vulnerability from csaf_festosecokg - Published: 2023-08-29 10:00 - Updated: 2025-10-01 10:00Summary
Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance
Notes
Summary: A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.
Remediation: Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.
General recommendation: As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:
- Use LX Appliances only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate LX Appliances from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Limit the access to LX Appliances by physical means, operating system features, etc.
Festo strongly recommends minimizing and protect network access to LX Appliances with state-of-the-art techniques and processes.
Disclaimer: Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\n\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\n\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
6.1 (Medium)
Vendor Fix
Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination and support with this publication",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the \"Teacher\" role), to craft a malicious course and launch an XSS attack.",
"title": "Summary"
},
{
"category": "description",
"text": "Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:\n- Use LX Appliances only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n- Use firewalls to protect and separate LX Appliances from other networks\n- Use VPN (Virtual Private Networks) tunnels if remote access is required\n- Limit the access to LX Appliances by physical means, operating system features, etc.\n\nFesto strongly recommends minimizing and protect network access to LX Appliances with state-of-the-art techniques and processes. ",
"title": "General recommendation"
},
{
"category": "legal_disclaimer",
"text": "Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\\n\\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\\n\\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@festo.com",
"name": "Festo SE \u0026 Co. KG",
"namespace": "https://festo.com"
},
"references": [
{
"category": "self",
"summary": "FSA-202301: Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-040/"
},
{
"category": "self",
"summary": "FSA-202301: Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance - CSAF",
"url": "https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2023/fsa-202301.json"
},
{
"category": "external",
"summary": "For further security-related issues in Festo products please contact the Festo Product Security Incident Response Team (PSIRT)",
"url": "https://festo.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Festo SE \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/festo/"
}
],
"title": "Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance",
"tracking": {
"aliases": [
"VDE-2023-040"
],
"current_release_date": "2025-10-01T10:00:00.000Z",
"generator": {
"date": "2025-09-30T21:43:11.279Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.16"
}
},
"id": "FSA-202301",
"initial_release_date": "2023-08-29T10:00:00.000Z",
"revision_history": [
{
"date": "2023-08-29T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
},
{
"date": "2025-10-01T10:00:00.000Z",
"number": "1.0.1",
"summary": "Adjusted to VDE template. Changed title from \"Video.js Cross-Site-Scripting (XSS) vulnerability in LX Appliance\" to \"Festo: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance\"."
}
],
"status": "final",
"version": "1.0.1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cJune2023",
"product": {
"name": "LX Appliance \u003cJune2023",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"8167959",
"8167960",
"8167961",
"8167962",
"8167963",
"8167964"
],
"x_generic_uris": [
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167959"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167960"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167961"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167962"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167963"
},
{
"namespace": "Festo:Partnumber",
"uri": "Festo:Partnumber:8167964"
}
]
}
}
}
],
"category": "product_name",
"name": "LX Appliance"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Festo"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23414",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.",
"product_ids": [
"CSAFPID-51001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001"
]
}
],
"title": "CVE-2021-23414"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…