CVE-2024-29191 - Vulnerability Details - OpenCVE

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Key SSVC decision points have not yet been added.

Vendors	Products
Alexxit	Go2rtc

Configuration 1 [-]

cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba
https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

History

Tue, 02 Sep 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Alexxit Alexxit go2rtc
CPEs		cpe:2.3:a:alexxit:go2rtc::::::::
Vendors & Products		Alexxit Alexxit go2rtc

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T14:52:30.977Z

Updated: 2024-08-02T01:10:55.432Z

Reserved: 2024-03-18T17:07:00.094Z

Link: CVE-2024-29191

Vulnrichment

Updated: 2024-08-02T01:10:55.432Z

NVD

Status : Analyzed

Published: 2024-04-04T15:15:39.043

Modified: 2025-09-02T15:24:33.513

Link: CVE-2024-29191

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29191", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.094Z", "datePublished": "2024-04-04T14:52:30.977Z", "dateUpdated": "2024-08-02T01:10:55.432Z"}, "containers": {"cna": {"title": "GHSL-2023-205 gotortc DOM-based Cross-site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/"}, {"name": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "tags": ["x_refsource_MISC"], "url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba"}], "affected": [{"vendor": "AlexxIT", "product": "go2rtc", "versions": [{"version": "<= 1.8.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T14:52:30.977Z"}, "descriptions": [{"lang": "en", "value": "gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue."}], "source": {"advisory": "GHSA-wv8x-3w6r-6h7v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "alexxit", "product": "go2rtc", "cpes": ["cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T15:27:38.187538Z", "id": "CVE-2024-29191", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T20:27:47.886Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.432Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/"}, {"name": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "name": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "name": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.432Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29191", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T15:27:38.187538Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*"], "vendor": "alexxit", "product": "go2rtc", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T15:31:55.684Z"}}], "cna": {"title": "GHSL-2023-205 gotortc DOM-based Cross-site Scripting vulnerability", "source": {"advisory": "GHSA-wv8x-3w6r-6h7v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "AlexxIT", "product": "go2rtc", "versions": [{"status": "affected", "version": "<= 1.8.5"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "name": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "name": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T14:52:30.977Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29191", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:10:55.432Z", "dateReserved": "2024-03-18T17:07:00.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-04T14:52:30.977Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*", "matchCriteriaId": "E44B0A46-58BF-40AE-A3F6-252E92C0DFF7", "versionEndIncluding": "1.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue."}, {"lang": "es", "value": "gotortc es una aplicaci\u00f3n de transmisi\u00f3n de c\u00e1mara. Las versiones 1.8.5 y anteriores son vulnerables a Cross-Site Scripting basadas en DOM. La p\u00e1gina de enlaces (`links.html`) agrega el par\u00e1metro GET `src` (`[0]`) en todos sus enlaces para vistas previas con 1 clic. El contexto en el que se agrega `src` es `innerHTML` (`[1]`), que insertar\u00e1 el texto como HTML. El commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contiene un parche para el problema."}], "id": "CVE-2024-29191", "lastModified": "2025-09-02T15:24:33.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-04T15:15:39.043", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}