Vulnerability Details CVE-2024-29026
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 35.0%
CVSS Severity
CVSS v3 Score 8.2
References
- https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
- https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
- https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
- https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
- https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
- https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
Products affected by CVE-2024-29026
-
cpe:2.3:a:owncast_project:owncast:0.0.1
-
cpe:2.3:a:owncast_project:owncast:0.0.10
-
cpe:2.3:a:owncast_project:owncast:0.0.11
-
cpe:2.3:a:owncast_project:owncast:0.0.12
-
cpe:2.3:a:owncast_project:owncast:0.0.13
-
cpe:2.3:a:owncast_project:owncast:0.0.2
-
cpe:2.3:a:owncast_project:owncast:0.0.3
-
cpe:2.3:a:owncast_project:owncast:0.0.4
-
cpe:2.3:a:owncast_project:owncast:0.0.5
-
cpe:2.3:a:owncast_project:owncast:0.0.6
-
cpe:2.3:a:owncast_project:owncast:0.0.7
-
cpe:2.3:a:owncast_project:owncast:0.0.8
-
cpe:2.3:a:owncast_project:owncast:0.0.9
-
cpe:2.3:a:owncast_project:owncast:0.1.1
-
cpe:2.3:a:owncast_project:owncast:0.1.2