CVE-2020-23065

Vulnerability

The vulnerability is a Cross-Site Scripting (XSS) issue in the Flash-based video player VideoJS, which is bundled in the DemoBundle and the ezdemo legacy extension of eZ Publish Platform 5.4 and eZ Publish Legacy 5.4. All versions of DemoBundle and ezdemo are affected. The vulnerability resides in the video-js.swf file. This issue was originally discovered in older releases of VideoJS and is present in the bundled versions within these demo extensions [1].

Exploitation

An attacker with authenticated access to an eZ Publish instance that has the DemoBundle or ezdemo extension installed can exploit the XSS vulnerability by crafting a malicious request that triggers the vulnerable Flash player. The attacker may need to convince a user to interact with a specially crafted link or page that loads the video-js.swf file, leading to arbitrary JavaScript execution in the context of the victim's browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of the authenticated user's session. This can lead to session hijacking, defacement, information disclosure, or other malicious actions performed under the user's privileges. The impact is limited to the browser session of the victim and does not provide server-side code execution [1].

Mitigation

The vulnerability is mitigated by removing the video-js.swf file from all web-accessible directories. The official fix is to update DemoBundle to version 5.4.6.1 and ezdemo to version 5.4.2.1 (or ezdemo-ls-extension to version 5.4.2.1) via Composer. After updating, administrators should verify that the video-js.swf file is no longer present. Since DemoBundle and ezdemo are demo software, no further support is planned. As a workaround, users can manually delete the file until the update is applied [1].