gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Sep 2025 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Alexxit
Alexxit go2rtc |
|
CPEs | cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:* | |
Vendors & Products |
Alexxit
Alexxit go2rtc |

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-08-13T14:04:23.996Z
Reserved: 2024-03-18T17:07:00.095Z
Link: CVE-2024-29193

Updated: 2024-08-02T01:10:54.458Z

Status : Analyzed
Published: 2024-04-04T19:15:08.023
Modified: 2025-09-02T16:51:11.057
Link: CVE-2024-29193

No data.

No data.