CVE-2024-29192

Name of the Vulnerable Software and Affected Versions gotortc versions 1.8.5 and prior

Description The issue concerns a camera streaming application. It allows modification of the existing configuration with user-supplied values through the /api/config endpoint. Although this API only allows localhost to interact without authentication, it is not protected against Cross-Site Request Forgery (CSRF), enabling requests from any origin. This could lead to arbitrary command execution if an attacker adds a custom stream through api/config, utilizing the exec handler. When a victim visits the server, their browser will execute the requests against the go2rtc instance.

Recommendations For versions 1.8.5 and prior, consider disabling the exec handler and restricting access to the /api/config endpoint to prevent arbitrary command execution until a patch is available. Additionally, ensure that go2rtc is set up securely on the upstream application to minimize the risk of exploitation.