GHSA-8c85-4rr5-chr4: 
PHP vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in VideoJS bundled with DemoBundle and the ezdemo legacy extension. The vulnerability (GHSA-8c85-4rr5-chr4) was published on April 21, 2020, with a high severity rating. The issue affects DemoBundle and ezdemo extension across all versions, specifically impacting eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 (EZ Platform).

The vulnerability exists in the Flash-based video player component of older VideoJS releases that were bundled in DemoBundle and the Legacy 'ezdemo' and 'ezdemo-ls-extension' extensions. The affected versions include those >= 5.4.0 and < 5.4.6.1, with the patched version being 5.4.6.1 (GitHub Advisory).

The vulnerability could allow attackers to execute cross-site scripting attacks through the Flash-based video player component. While primarily affecting eZ Publish Platform 5.4 and eZ Publish Legacy 5.4, the vulnerability could potentially impact newer branches if the affected software is installed on eZ Platform 1.x or 2.x systems (EZ Platform).

The vulnerability was addressed by completely removing the affected file 'video-js.swf' from the software. Users should update to the resolving versions: DemoBundle v5.4.6.1, ezdemo v5.4.2.1, or ezdemo-ls-extension v5.4.2.1. After updating, users should verify that the file 'video-js.swf' is not present in any web server-accessible directory. Note that this fix breaks the video playback feature, as the vulnerable component was removed rather than updated (EZ Platform).

The vulnerability was initially reported by Purplemet, a security monitoring and rating SaaS solution for web applications. The vendor acknowledged the responsible disclosure and implemented a resolution, though noting that due to the software's demo-only purpose and resource constraints during the Coronavirus crisis, they opted for removal rather than updating the component (EZ Platform).