Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yaDRyLWY3Zjctcjk5bc4AA-Yy
gotortc Cross-site Scripting vulnerability
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (index.html) shows the available streams by fetching the API in the client side. Then, it uses Object.entries to iterate over the result whose first item (name) gets appended using innerHTML. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yaDRyLWY3Zjctcjk5bc4AA-Yy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-rh4r-f7f7-r99m, CVE-2024-29193
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-29193
- https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba
- https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc
- https://github.com/advisories/GHSA-rh4r-f7f7-r99m
Blast Radius: 0.0
Affected Packages
go:github.com/AlexxIT/go2rtc
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.9.0
Fixed in: 1.9.0
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5
All unaffected versions: 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4