Description
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/
Scores
CVSS v3
6.1
EPSS
0.0018
EPSS Percentile
39.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
alexxit/go2rtc
< 1.8.5
AlexxIT/go2rtc
0 - 1.9.0Go
Published
Apr 04, 2024
Tracked Since
Feb 18, 2026