CVE-2024-29191

Published: Apr 4, 2024Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: security-advisories@github.com (Secondary)

Description

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.

Affected (1)

Products: Alexxit: Go2rtc

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Alexxit Go2rtc	Up to 1.8.5

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba

Source: security-advisories@github.com

Patch

https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.