CVE-2021-39183 HIGH

CVE-2021-39183: Unsafe inline XSS Owncast

Vendor Owncast

Product owncast

Weakness CWE-79 · XSS

Published December 14, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

Key dates

02Disclosure timeline

December 14, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-39183 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-59988 Junos Space: Generate Report page is vulnerable to reflected cross-site script injection CVE-2026-24980 WordPress Visionary Core plugin <= 1.4.9 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-2199 ICSA-22-200-01 MiCODUS MV720 GPS tracker Cross-site Scripting CVE-2016-20070 WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS CVE-2023-51720 Stored Cross Site Scripting Vulnerability in Skyworth Router