Approved changes feed: RSS · Atom
cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Alexxit (624b4f77-568c-59e9-81b4-13d63cb58923) |
|---|---|
| Product | Go2Rtc (94e8d011-1c60-51ed-ae85-ea3ec37fc167) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/alexxit/go2rtc |
purl2cpe | 2026-06-01 10:17:38.917485 |
pkg:golang/github.com/alexxit/go2rtc |
purl2cpe | 2026-06-01 10:17:38.917487 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-29193 |
vulnerable | 2026-06-08 06:33:28.945038 |
GHSL-2023-207 gotortc DOM-based Cross-site Scripting vulnerability
MEDIUM (6.1)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.
Published: 2024-04-04T18:35:28.817Z
Updated: 2024-08-13T14:04:23.996Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-29192 |
vulnerable | 2026-06-08 06:33:28.944582 |
GHSL-2023-206 gotortc Cross-Site Request Forgery vulnerability
HIGH (8.8)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access.
Published: 2024-04-04T18:08:26.078Z
Updated: 2024-08-29T19:09:20.613Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-29191 |
vulnerable | 2026-06-08 06:33:28.944019 |
GHSL-2023-205 gotortc DOM-based Cross-site Scripting vulnerability
MEDIUM (6.1)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.
Published: 2024-04-04T14:52:30.977Z
Updated: 2024-08-02T01:10:55.432Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.