CVE-2024-29882

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-29882
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
Configurations

No configuration.

History

21 Nov 2024, 09:08

Type Values Removed Values Added
Summary
  • (es) SRS es un servidor de vídeo en tiempo real, sencillo y de alta eficiencia. El endpoint `/api/v1/vhosts/vid-?callback=` de SRS no filtró el nombre de la función de devolución de llamada, lo que llevó a inyectar payloads de JavaScript maliciosos y ejecutar XSS (Cross-Site Scripting). Esta vulnerabilidad se solucionó en 5.0.210 y 6.0.121.
References () https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d - () https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d -
References () https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 - () https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 -

28 Mar 2024, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-28 14:15

Updated : 2024-11-21 09:08

NVD link : CVE-2024-29882

Mitre link : CVE-2024-29882

CVE.ORG link : CVE-2024-29882

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024