CVE-2024-29191 MEDIUM

CVE-2024-29191: GHSL-2023-205 gotortc DOM-based Cross-site Scripting vulnerability

Vendor Alexxit
Product go2rtc
Weakness CWE-79 · XSS
Published April 4, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-9939 CodeAstro Real Estate Management System propertyview.php cross site scripting CVE-2024-13399 Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-33645 WordPress Easy Set Favicon plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#% CVE-2021-39310 Real WYSIWYG <= 0.0.2 Reflected Cross-Site Scripting