CVE-2024-27926: RSSHub Cross-site Scripting vulnerability caused by internal media proxy

March 6, 2024

Impact

When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code.

Users who access the deliberately constructed URL are affected.

Patches

This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version.

Workarounds

No.

References

github.com/DIYgod/RSSHub
github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87
github.com/DIYgod/RSSHub/security/advisories/GHSA-2wqw-hr4f-xrhh
github.com/advisories/GHSA-2wqw-hr4f-xrhh
nvd.nist.gov/vuln/detail/CVE-2024-27926

Code Behaviors & Features

Detect and mitigate CVE-2024-27926 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →