PatchSiren cyber security CVE debrief
CVE-2021-23414 Festo CVE debrief
CVE-2021-23414 is a cross-site scripting issue described in the source advisory as affecting video.js before 7.14.3, where the src attribute of a track tag can bypass HTML escaping and allow arbitrary code execution. In the supplied CSAF record, this is associated with Festo LX Appliance and remediated through a Festo update path. The issue is network-reachable, requires user interaction, and is rated CVSS 6.1 (MEDIUM).
- Vendor
- Festo
- Product
- Software
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-08-29
- Original CVE updated
- 2025-10-01
- Advisory published
- 2023-08-29
- Advisory updated
- 2025-10-01
Who should care
Festo LX Appliance operators, OT/industrial IT administrators, and security teams responsible for browser-facing or embedded web content that may rely on video.js. It is especially relevant where users can be directed to open content that renders track tags or similar media elements.
Technical summary
The source advisory states that video.js versions before 7.14.3 are affected by an XSS flaw in the track tag src attribute handling. Instead of preserving HTML escaping, the attribute can be used in a way that permits arbitrary code execution in the user’s browser context. The CSAF record maps the advisory to Festo LX Appliance and lists CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating no privileges are needed but user interaction is required and the impact crosses security scope.
Defensive priority
Medium overall, but higher priority if the affected LX Appliance is exposed to untrusted or user-supplied content. Although the CVSS score is MEDIUM and there is no KEV flag in the supplied data, the issue can affect confidentiality and integrity in the browser context and should be remediated through the vendor update path.
Recommended defensive actions
- Update the Festo LX Appliance using the vendor remediation path listed in the advisory.
- Contact Festo Didactic services at [email protected] to obtain the latest version.
- Review any workflows that render media or track elements and reduce exposure to untrusted HTML or user-supplied content.
- Treat the issue as requiring user interaction and validate whether affected content paths exist in deployed LX Appliance instances.
- Use the linked CISA ICS recommended practices as a baseline for defense-in-depth while patching.
Evidence notes
All core facts come from the supplied CISA CSAF source item for ICSA-25-343-02 and its referenced advisory metadata. The source states: affected package video.js before 7.14.3; track tag src attribute bypasses HTML escaping and can execute arbitrary code; remediation is to update the LX Appliance through Festo Didactic services. The advisory was initially published on 2023-08-29 and revised on 2025-10-01 for template/title adjustments, so 2023-08-29 should be treated as the CVE publication context in this dataset.
Official resources
-
CVE-2021-23414 CVE record
CVE.org
-
CVE-2021-23414 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied source advisory on 2023-08-29, with a later editorial/template revision on 2025-10-01. Use the 2023-08-29 publication date for CVE timing context rather than the later revision date.