CVE-2024-29882
Published: 28 March 2024
Summary
CVE-2024-29882 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ossrs Simple Realtime Server. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
SRS is a simple high-efficiency real-time video server that contains a reflected cross-site scripting flaw in the /api/v1/vhosts/vid-<id>?callback=<payload> endpoint. The endpoint accepted an unfiltered callback parameter, allowing an attacker to supply an arbitrary JavaScript payload that would be executed by any client rendering the API response. The issue is tracked as CWE-79 and was present in all releases before the fixes shipped in versions 5.0.210 and 6.0.121.
An unauthenticated remote attacker can send a crafted HTTP request containing a malicious callback value. Because the CVSS vector shows network access, low complexity, and no required credentials or user interaction, the attacker can cause the injected script to run in the browser of any user who visits a page that includes the API response, resulting in limited confidentiality and integrity impacts within the affected origin.
The project addressed the flaw in commit 244ce7bc013a0b805274a65132a2980680ba6b9d and published the details in GitHub Security Advisory GHSA-gv9r-qcjc-5hj7, confirming that the parameter is now sanitized and recommending that deployments upgrade to the patched releases. The associated EPSS score has remained flat at 0.0770 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26870
Vulnerability details
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.