Описание
Unsafe inline XSS in pasting DOM element into chat
Impact
Inline scripts are executed when Javascript is parsed via a paste action.
- Open https://watch.owncast.online/
- Copy and then paste
<img src=null onerror=alert('hello')>into the chat field. - An alert should pop up.
Patches
⋮ 13 │ // Content security policy
⋮ 14 │ csp := []string{
⋮ 15 │ "script-src 'self' 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY='",
⋮ 16 │ "worker-src 'self' blob:", // No single quotes around blob:
⋮ 17 │ }
Will be patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.
For more information
If you have any questions or comments about this advisory:
- Open an issue in owncast/owncast
- Email us at gabek@real-ity.com
Пакеты
Наименование
github.com/owncast/owncast
go
Затронутые версииВерсия исправления
< 0.0.9
0.0.9
Связанные уязвимости
CVSS3: 8.2
nvd
около 4 лет назад
Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.