SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
References
| Link | Resource |
|---|---|
| https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d | Patch |
| https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 | Exploit Vendor Advisory |
| https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d | Patch |
| https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Jan 2026, 18:55
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d - Patch | |
| References | () https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* | |
| First Time |
Ossrs
Ossrs simple Realtime Server |
21 Nov 2024, 09:08
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d - | |
| References | () https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 - |
28 Mar 2024, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-03-28 14:15
Updated : 2026-01-08 18:55
NVD link : CVE-2024-29882
Mitre link : CVE-2024-29882
CVE.ORG link : CVE-2024-29882
JSON object : View
Products Affected
ossrs
- simple_realtime_server
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')