CVE-2024-29882
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-29882
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29882.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-29882
- Related
- Published
- 2024-03-28T14:15:14Z
- Modified
- 2025-07-02T00:30:20.637088Z
- Summary
- [none]
- Details
-
SRS is a simple, high-efficiency, real-time video server. SRS's
/api/v1/vhosts/vid-<id>?callback=<payload>endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121. - References
Affected packages
Git / github.com/ossrs/srs
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ossrs/srs
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v1.*
v1.0-r0
v2.*
v2.0-a0
v2.0-a1
v2.0-a2
v2.0-a3
v2.0-b0
v2.0-b1
v2.0-b2
v2.0-b3
v2.0-b4
v2.0-r0
v2.0-r1
v2.0-r2
v2.0-r3
v2.0-r4
v2.0-r5
v2.0-r6
v2.0-r7
v2.0-r8
v3.*
v3.0-a0
v3.0-a1
v3.0-a2
v3.0-a3
v3.0-a4
v3.0-a5
v3.0-a6
v3.0-a7
v3.0-a8
v3.0-a9
v3.0-b0
v3.0-b1
v3.0-b2
v3.0-b3
v3.0-b4
v3.0-r0
v3.0-r1
v3.0-r2
v3.0-r3
v4.*
v4.0-b0
v4.0-b1
v4.0-b10
v4.0-b2
v4.0-b3
v4.0-b5
v4.0-b6
v4.0-b7
v4.0-b8
v4.0-b9
v4.0-r0
v4.0-r1
v4.0-r2
v4.0-r3
v4.0-r4
v5.*
v5.0-a0
v5.0-a1
v5.0-a2
v6.*
v6.0-d0
v6.0-d1
v6.0-d2
v6.0-d3
v6.0-d4
v6.0.10
v6.0.36
v6.0.45
v6.0.48