CVE-2024-29026
Owncast cross origin request
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
Owncast es un servidor de chat y transmisión de video en vivo de código abierto, autohospedado, descentralizado y de un solo usuario. En las versiones 0.1.2 y anteriores, una política CORS indulgente permite a los atacantes realizar una solicitud de origen cruzado, leyendo información privilegiada. Esto se puede utilizar para filtrar la contraseña de administrador. El commit 9215d9ba0f29d62201d3feea9e77dcd274581624 soluciona este problema.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-14 CVE Reserved
- 2024-03-20 CVE Published
- 2024-03-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-697: Incorrect Comparison
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32 | X_refsource_misc | |
| https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624 | X_refsource_misc | |
| https://securitylab.github.com/advisories/GHSL-2023-261_Owncast | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|