&color=brighgreen)
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1533587
- https://snyk.io/vuln/SNYK-JS-VIDEOJS-1533429
No PoCs found on GitHub currently.