CVE-2024-29193

Name of the Vulnerable Software and Affected Versions gotortc versions 1.8.5 and prior

Description gotortc is a camera streaming application. The index page (index.html) shows available streams by fetching the API on the client side, using Object.entries to iterate over the result, and appending the first item (name) using innerHTML. This leads to DOM-based cross-site scripting. When a victim visits the server, their browser executes the request against the go2rtc instance, and after the request, the browser is redirected to go2rtc, where the XSS is executed in the context of go2rtc's origin.

Recommendations As a temporary workaround, consider disabling the use of innerHTML for appending user-supplied data until a patch is available. Restrict access to the index.html page to minimize the risk of exploitation. Avoid using the name variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.