Exploitation Summary
CVE-2024-29882 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
Nuclei Templates (1)
HTTP API DOM - XSS on JSONP callback
HIGHVERIFIEDby rootxharsh,iamnoooob,pdresearch
Shodan:
http.favicon.hash:1386054408
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
Patch x_refsource_misc
https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
Scores
CVSS v3
7.2
EPSS
0.0109
EPSS Percentile
60.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
ossrs/simple_realtime_server
< 5.0.210
Published
Mar 28, 2024
Tracked Since
Feb 18, 2026