Vulnerability Details CVE-2024-29882
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.077
EPSS Ranking 91.6%
CVSS Severity
CVSS v3 Score 7.2
References
Products affected by CVE-2024-29882
-
cpe:2.3:a:ossrs:simple_realtime_server:5.0.137
-
cpe:2.3:a:ossrs:simple_realtime_server:5.0.156
-
cpe:2.3:a:ossrs:simple_realtime_server:5.0.157
-
cpe:2.3:a:ossrs:simple_realtime_server:6.0.18
-
cpe:2.3:a:ossrs:simple_realtime_server:6.0.47
-
cpe:2.3:a:ossrs:simple_realtime_server:6.0.48