CVE-2024-29193: gotortc Cross-site Scripting vulnerability

August 5, 2024

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (index.html) shows the available streams by fetching the API in the client side. Then, it uses Object.entries to iterate over the result whose first item (name) gets appended using innerHTML. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin.

References

github.com/AlexxIT/go2rtc
github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba
github.com/advisories/GHSA-rh4r-f7f7-r99m
nvd.nist.gov/vuln/detail/CVE-2024-29193
securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc

Code Behaviors & Features

Detect and mitigate CVE-2024-29193 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →