CVE-2024-29193

Exploit

EPSS 0.13%
Published 04.04.2024 19:15:08
Last modified 02.09.2025 16:51:11
Source security-advisories@github.com
Teams watchlist Login
Open Login

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Alexxit ≫ Go2rtc Version <= 1.8.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.329

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-29193

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29193

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29193

EUVD