Share: Email | Twitter

ID

VDE-2023-040

Published

2023-08-29 12:00 (CEST)

Last update

2023-08-29 14:08 (CEST)

Vendor(s)

Festo Didactic SE

Product(s)

Article No┬░ Product Name Affected Version(s)
8167959 LX Appliance < June 2023
8167960 LX Appliance < June 2023
8167961 LX Appliance < June 2023
8167962 LX Appliance < June 2023
8167963 LX Appliance < June 2023
8167964 LX Appliance < June 2023

Summary

A vulnerability in the Video.js package could allow a user of LX Appliance, with a high privilege account (i.e., with the "Teacher" role), to craft a malicious course and launch an XSS attack.


Last Update:

Aug. 17, 2023, 3:28 p.m.

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  (CWE-79) 

Summary

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.


Solution

Mitigation

Remediation

Contact Festo Didactic services department at services.didactic@festo.com to update your LX Appliance to the latest version.

General recommendation

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:
- Use LX Appliances only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate LX Appliances from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Limit the access to LX Appliances by physical means, operating system features, etc.

Festo strongly recommends minimizing and protect network access to LX Appliances with state-of-the-art techniques and processes. 

Reported by

CERT@VDE coordinated with Festo