@haxtheweb/video-player 9.0.25

Direct Vulnerabilities

Known vulnerabilities in the @haxtheweb/video-player package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `video-player` component's `source` and `source-data` attributes. An attacker can execute arbitrary JavaScript in the victim's browser and access sensitive data, such as authentication tokens, by injecting a malicious URI scheme that is rendered and executed when another user views the affected page. How to fix Cross-site Scripting (XSS)? Upgrade `@haxtheweb/video-player` to version 26.0.0 or higher.	<26.0.0
M Cross-site Scripting (XSS) @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper sanitization of `<iframe>` elements that allow `javascript:` URIs in the `src` attribute. An attacker can execute arbitrary JavaScript in the victim's browser context by injecting malicious payloads, leading to access of sensitive client-side data, authentication tokens, session cookies, and potentially enabling full account takeover through unauthorized API actions. How to fix Cross-site Scripting (XSS)? Upgrade `@haxtheweb/video-player` to version 26.0.0 or higher.	<26.0.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

@haxtheweb/video-player is an Automated conversion of video-player/

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the video-player component's source and source-data attributes. An attacker can execute arbitrary JavaScript in the victim's browser and access sensitive data, such as authentication tokens, by injecting a malicious URI scheme that is rendered and executed when another user views the affected page.

How to fix Cross-site Scripting (XSS)?

Upgrade @haxtheweb/video-player to version 26.0.0 or higher.

<26.0.0

Cross-site Scripting (XSS)

@haxtheweb/video-player is an Automated conversion of video-player/

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper sanitization of <iframe> elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser context by injecting malicious payloads, leading to access of sensitive client-side data, authentication tokens, session cookies, and potentially enabling full account takeover through unauthorized API actions.

How to fix Cross-site Scripting (XSS)?

Upgrade @haxtheweb/video-player to version 26.0.0 or higher.

<26.0.0

@haxtheweb/video-player@9.0.25

Automated conversion of video-player/

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically