N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8c85-4rr5-chr4

EPSS Score

CWE

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-8c85-4rr5-chr4

GHSA-8c85-4rr5-chr4: Cross-site Scripting (XSS) in DemoBundle/ezdemo bundled VideoJS

This Security Advisory is about a vulnerability in VideoJS, which is bundled in DemoBundle and the ezdemo legacy extension. Older releases of VideoJS contain an XSS vulnerability in the Flash-based video player. This is bundled in DemoBundle, and in the Legacy "ezdemo" and "ezdemo-ls-extension" extensions. Among the branches still receiving security advisories, only eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 are affected. However, it may be possible to make this software work in newer branches, so please check whether you have it installed even if you're using eZ Platform 1.x or 2.x.

Because DemoBundle / ezdemo are only intended for demo purposes, they are not supported software. For that reason, and given the old age of the software, and manpower issues during the Coronavirus crisis, we are taking the unusual step of simply removing the affected file. This resolves the vulnerability, but also breaks the video playback feature. It may be possible to make it work again by upgrading to a current version of VideoJS, but it is unlikely that we will do this, given the reasons already mentioned.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8c85-4rr5-chr4

EPSS Score

CWE

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/demobundle	composer	>= 5.4.0, < 5.4.6.1	5.4.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly states the vulnerability stems from an outdated VideoJS Flash-based player (video-js.swf file) but provides no specific function-level details. The resolution was file removal rather than patching specific functions. Without access to: 1) The exact vulnerable VideoJS version's source code, 2) Commit diffs showing vulnerable code patterns, or 3) XSS payload reproduction details, we cannot confidently identify specific vulnerable functions. The vulnerability appears to reside in the Flash player's handling of external inputs, but Flash/AS3 reverse-engineering would be required to pinpoint exact functions - information not provided in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is S**urity **visory is **out * vuln*r**ility in Vi**oJS, w*i** is *un*l** in **mo*un*l* *n* t** *z**mo l****y *xt*nsion. Ol**r r*l**s*s o* Vi**oJS *ont*in *n XSS vuln*r**ility in t** *l*s*-**s** vi**o pl*y*r. T*is is *un*l** in **mo*un*l*, *n* in

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility st*ms *rom *n out**t** `Vi**oJS` *l*s*-**s** pl*y*r (`vi**o-js.sw*` *il*) *ut provi**s no sp**i*i* `*un*tion-l*v*l` **t*ils. T** r*solution w*s *il* r*mov*l r*t**r t**n p*t**in* sp**i*i* `*un*tions`. W

N/A

Basic Information

Concerned about an active attack path?

GHSA-8c85-4rr5-chr4: Cross-site Scripting (XSS) in DemoBundle/ezdemo bundled VideoJS

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI