Lucene search

GoogleOSV:CVE-2024-29882

HistoryMar 28, 2024 - 2:15 p.m.

CVE-2024-29882

2024-03-2814:15:14

Google

osv.dev

srs

video server

vulnerability fix

xss

security patch

software

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

SRS is a simple, high-efficiency, real-time video server. SRS’s /api/v1/vhosts/vid-<id>?callback=<payload> endpoint didn’t filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.

CPENameOperatorVersion
srseq2.0-r4
srseq2.0-b0
srseq2.0-r1
srseq2.0-r6
srseq5.0-a0
srseq2.0-r8
srseq6.0-d0
srseq4.0-r3
srseq3.0-a6
srseq6.0.10

Name	Operator	Version
srs	eq	2.0-r4
srs	eq	2.0-b0
srs	eq	2.0-r1
srs	eq	2.0-r6
srs	eq	5.0-a0
srs	eq	2.0-r8
srs	eq	6.0-d0
srs	eq	4.0-r3
srs	eq	3.0-a6
srs	eq	6.0.10

Rows per page:

1-10 of 741

References

github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d

github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for OSV:CVE-2024-29882