QwikSec

Security Database

CVE

CWE

Training

CVE-2024-29026

Published: Mar 20, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

Vendor	Product	Versions
owncast	owncast	affected `<= 0.1.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

References

https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/

x_refsource_CONFIRM

https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624

x_refsource_MISC

https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.