Approved changes feed: RSS · Atom

cpe:2.3:a:alexxit:go2rtc:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAlexxit (624b4f77-568c-59e9-81b4-13d63cb58923)
ProductGo2Rtc (94e8d011-1c60-51ed-ae85-ea3ec37fc167)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/alexxit/go2rtc purl2cpe 2026-06-01 10:17:38.917485
pkg:golang/github.com/alexxit/go2rtc purl2cpe 2026-06-01 10:17:38.917487

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2024-29193 vulnerable 2026-06-08 06:33:28.945038 GHSL-2023-207 gotortc DOM-based Cross-site Scripting vulnerability
MEDIUM (6.1)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.
Published: 2024-04-04T18:35:28.817Z
Updated: 2024-08-13T14:04:23.996Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-29192 vulnerable 2026-06-08 06:33:28.944582 GHSL-2023-206 gotortc Cross-Site Request Forgery vulnerability
HIGH (8.8)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access.
Published: 2024-04-04T18:08:26.078Z
Updated: 2024-08-29T19:09:20.613Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-29191 vulnerable 2026-06-08 06:33:28.944019 GHSL-2023-205 gotortc DOM-based Cross-site Scripting vulnerability
MEDIUM (6.1)
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (`links.html`) appends the `src` GET parameter (`[0]`) in all of its links for 1-click previews. The context in which `src` is being appended is `innerHTML` (`[1]`), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.
Published: 2024-04-04T14:52:30.977Z
Updated: 2024-08-02T01:10:55.432Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.