CVE-2021-39183

Name of the Vulnerable Software and Affected Versions Owncast versions prior to 0.0.9

Description The issue concerns the execution of inline scripts when Javascript is parsed via a paste action in the chat server. This can lead to the execution of malicious scripts. The problem is resolved by blocking unsafe-inline Content Security Policy and specifying the script-src. Additionally, setting worker-src to blob is required for the video player.

Recommendations For versions prior to 0.0.9, update to version 0.0.9 to patch the issue by blocking unsafe-inline Content Security Policy and specifying the script-src. Ensure the worker-src is set to blob for the video player.