Cross-site Scripting (XSS) in DemoBundle/ezdemo bundled VideoJS

his Security Advisory is about a vulnerability in VideoJS, which is bundled in DemoBundle and the ezdemo legacy extension. Older releases of VideoJS contain an XSS vulnerability in the Flash-based video player. This is bundled in DemoBundle, and in the Legacy “ezdemo” and “ezdemo-ls-extension” extensions. Among the branches still receiving security advisories, only eZ Publish Platform 5.4 and eZ Publish Legacy 5.4 are affected. However, it may be possible to make this software work in newer branches, so please check whether you have it installed even if you’re using eZ Platform 1.x or 2.x.

Because DemoBundle / ezdemo are only intended for demo purposes, they are not supported software. For that reason, and given the old age of the software, and manpower issues during the Coronavirus crisis, we are taking the unusual step of simply removing the affected file. This resolves the vulnerability, but also breaks the video playback feature. It may be possible to make it work again by upgrading to a current version of VideoJS, but it is unlikely that we will do this, given the reasons already mentioned.