CVE-2024-29026 HIGH

CVE-2024-29026: Owncast cross origin request

Vendor Owncast
Product owncast
Weakness CWE-352 · CSRF
Published March 20, 2024
Last update August 2, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

Key dates

02Disclosure timeline

March 20, 2024 CVE published
August 2, 2024 Record updated