PT-2024-23106 · Srs · Srs
Antqt
·
Published
2024-03-28
·
Updated
2024-03-28
·
CVE-2024-29882
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SRS versions prior to 5.0.210
SRS versions prior to 6.0.121
Description
The issue concerns SRS, a simple, high-efficiency, real-time video server. Specifically, the
/api/v1/vhosts/vid-<id>?callback=<payload> endpoint did not filter the callback function name, leading to the injection of malicious JavaScript payloads and the execution of Cross-Site Scripting (XSS).Recommendations
For versions prior to 5.0.210, update to version 5.0.210 or later.
For versions prior to 6.0.121, update to version 6.0.121 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Srs