CVE-2021-39183 - Vulnerability Details - OpenCVE

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00326.

Key SSVC decision points have not yet been added.

Vendors	Products
Owncast Project	Owncast

Configuration 1 [-]

cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-2423	Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.
Github GHSA	GHSA-2hfj-cxw7-g45p	Unsafe inline XSS in pasting DOM element into chat

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-14T20:05:12

Updated: 2024-08-04T01:58:18.143Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39183

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-12-14T20:15:07.490

Modified: 2024-11-21T06:18:49.520

Link: CVE-2021-39183

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "owncast", "vendor": "owncast", "versions": [{"status": "affected", "version": "< 0.0.9"}]}], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-14T20:05:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}], "source": {"advisory": "GHSA-2hfj-cxw7-g45p", "discovery": "UNKNOWN"}, "title": "Unsafe inline XSS Owncast", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39183", "STATE": "PUBLIC", "TITLE": "Unsafe inline XSS Owncast"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "owncast", "version": {"version_data": [{"version_value": "< 0.0.9"}]}}]}, "vendor_name": "owncast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p", "refsource": "CONFIRM", "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}]}, "source": {"advisory": "GHSA-2hfj-cxw7-g45p", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.143Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39183", "datePublished": "2021-12-14T20:05:12", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.143Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*", "matchCriteriaId": "07529BE1-AAF9-477D-986B-72F77DDE0529", "versionEndExcluding": "0.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}, {"lang": "es", "value": "Owncast es un servidor de chat y transmisi\u00f3n de v\u00eddeo en directo de c\u00f3digo abierto y autoalojado. En las versiones afectadas son ejecutados scripts en l\u00ednea cuando es analizado Javascript mediante una acci\u00f3n de pegado. Este problema est\u00e1 parcheado en la versi\u00f3n 0.0.9 al bloquear la pol\u00edtica de seguridad de contenidos unsafe-inline y la especificaci\u00f3n del script-src. Es requerido que el worker-src sea establecido como blob para el reproductor de v\u00eddeo"}], "id": "CVE-2021-39183", "lastModified": "2024-11-21T06:18:49.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-14T20:15:07.490", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}