Iamcanturk

**Name of the Vulnerable Software and Affected Versions** Textream versions prior to 1.5.1 **Description** The application is a macOS teleprompter. A Cross-Site WebSocket Hijacking (CSWSH) condition exists in the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`). The server does not validate the HTTP `Origin` header during the WebSocket handshake, allowing connections from any origin. A malicious web page, accessed during the same browser session, can connect to the WebSocket server and send arbitrary `DirectorCommand` payloads, enabling full remote control of the teleprompter content. **Recommendations** Update to version 1.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Textream versions prior to 1.5.1 **Description** Textream, a macOS teleprompter application, is susceptible to a denial-of-service condition. The `DirectorServer` WebSocket server does not limit concurrent connections. This, combined with a broadcast timer sending state updates to all connected clients every 100 milliseconds, allows an attacker to deplete CPU and memory resources by establishing numerous connections. This can lead to the Textream application freezing and crashing, particularly during live sessions. The vulnerable component is the `DirectorServer` WebSocket server. **Recommendations** Update to version 1.5.1 or later.