CVE-2024-29882
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
SRS is a simple, high-efficiency, real-time video server. SRS’s /api/v1/vhosts/vid-<id>?callback=<payload> endpoint didn’t filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ossrs | simple_realtime_server | * | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* |
| ossrs | simple_realtime_server | * | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "ossrs",
"product": "srs",
"versions": [
{
"version": "< 5.0.210",
"status": "affected"
},
{
"version": ">= 6.0.0, < 6.0.121",
"status": "affected"
}
]
}
]Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%