GHSA-2HFJ-CXW7-G45P
Vulnerability from github – Published: 2021-12-14 21:48 – Updated: 2022-01-04 18:54
VLAI?
Summary
Unsafe inline XSS in pasting DOM element into chat
Details
Impact
Inline scripts are executed when Javascript is parsed via a paste action.
- Open https://watch.owncast.online/
- Copy and then paste
<img src=null onerror=alert('hello')>into the chat field. - An alert should pop up.
Patches
⋮ 13 │ // Content security policy
⋮ 14 │ csp := []string{
⋮ 15 │ "script-src 'self' 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY='",
⋮ 16 │ "worker-src 'self' blob:", // No single quotes around blob:
⋮ 17 │ }
Will be patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.
For more information
If you have any questions or comments about this advisory: * Open an issue in owncast/owncast * Email us at gabek@real-ity.com
Severity ?
8.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/owncast/owncast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39183"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T20:16:10Z",
"nvd_published_at": "2021-12-14T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nInline scripts are executed when Javascript is parsed via a paste action.\n\n1. Open https://watch.owncast.online/\n2. Copy and then paste `\u003cimg src=null onerror=alert(\u0027hello\u0027)\u003e` into the\nchat field.\n3. An alert should pop up.\n\n### Patches\n```\n \u22ee 13 \u2502 // Content security policy\n \u22ee 14 \u2502 csp := []string{\n \u22ee 15 \u2502 \"script-src \u0027self\u0027 \u0027sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY=\u0027\",\n \u22ee 16 \u2502 \"worker-src \u0027self\u0027 blob:\", // No single quotes around blob:\n \u22ee 17 \u2502 }\n```\n\nWill be patched in 0.0.9 by blocking `unsafe-inline` Content Security Policy and specifying the `script-src`. The `worker-src` is required to be set to `blob` for the video player.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [owncast/owncast](https://github.com/owncast/owncast/issues)\n* Email us at [gabek@real-ity.com](mailto:gabek@real-ity.com)\n",
"id": "GHSA-2hfj-cxw7-g45p",
"modified": "2022-01-04T18:54:05Z",
"published": "2021-12-14T21:48:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39183"
},
{
"type": "PACKAGE",
"url": "https://github.com/owncast/owncast"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Unsafe inline XSS in pasting DOM element into chat"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…