Lucene search

GitHub_MCVELIST:CVE-2024-29193

HistoryApr 04, 2024 - 6:35 p.m.

CVE-2024-29193 GHSL-2023-207 gotortc DOM-based Cross-site Scripting vulnerability

2024-04-0418:35:28

CWE-79

GitHub_M

www.cve.org

cve-2024-29193

ghsl-2023-207

dom-based cross-site scripting

gotortc

object.entries

innerhtml

go2rtc

security vulnerability

client-side

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (index.html) shows the available streams by fetching the API ([0]) in the client side. Then, it uses Object.entries to iterate over the result ([1]) whose first item (name) gets appended using innerHTML ([2]). In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.

CNA Affected

[
  {
    "vendor": "AlexxIT",
    "product": "go2rtc",
    "versions": [
      {
        "version": "<= 1.8.5",
        "status": "affected"
      }
    ]
  }
]

References

securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-29193