GHSA-jq9q-6p42-qpr7: 
PHP vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in VideoJS bundled within DemoBundle and the ezdemo legacy extension. The vulnerability was disclosed on April 21, 2020, with a high severity rating. The issue affects DemoBundle and ezdemo extension (all versions), specifically impacting eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 systems (EZ Platform).

The vulnerability exists in the Flash-based video player component of older VideoJS releases that were bundled in DemoBundle and the Legacy 'ezdemo' and 'ezdemo-ls-extension' extensions. The affected versions include all releases >=5.4.0 and <5.4.2.1, with patched versions being DemoBundle v5.4.6.1, ezdemo v5.4.2.1, and ezdemo-ls-extension v5.4.2.1 (GitHub Advisory).

The vulnerability could allow attackers to execute cross-site scripting attacks through the Flash-based video player component. While primarily affecting eZ Publish Platform 5.4 and eZ Publish Legacy 5.4, the vulnerability could potentially impact newer branches if the affected software was installed on eZ Platform 1.x or 2.x systems (EZ Platform).

The vulnerability was addressed by completely removing the affected file 'video-js.swf' from web-accessible directories. While this resolves the security issue, it also breaks the video playback feature. Users should verify that after updating, the file 'video-js.swf' is not present in any directory accessible by the web server. The security update is distributed via Composer with the resolving versions mentioned above (EZ Platform).

The vulnerability was initially reported by Purplemet, a security monitoring and rating SaaS solution for web applications. The vendor acknowledged the responsible disclosure and implemented a resolution, though noting that due to the demo-only nature of the affected components and resource constraints during the Coronavirus crisis, they opted for file removal rather than upgrading the VideoJS component (EZ Platform).