x/vulndb: potential Go vuln in github.com/ossrs/srs: CVE-2024-29882

[GoVulnBot]

CVE-2024-29882 references github.com/ossrs/srs, which may be a Go module.

Description:
SRS is a simple, high-efficiency, real-time video server. SRS's /api/v1/vhosts/vid-<id>?callback=<payload> endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-29882
• JSON: https://github.com/CVEProject/cvelist/tree/326590dc44c678f3d901812fc73c910587d6d318/2024/29xxx/CVE-2024-29882.json
• advisory: GHSA-gv9r-qcjc-5hj7
• fix: ossrs/srs@244ce7b
• Imported by: https://pkg.go.dev/github.com/ossrs/srs?tab=importedby

Cross references:

• Module github.com/ossrs/srs appears in issue x/vulndb: potential Go vuln in github.com/ossrs/srs: CVE-2023-34105 #1854 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ossrs/srs
      vulnerable_at: 6.0.48+incompatible
      packages:
        - package: srs
cves:
    - CVE-2024-29882
references:
    - advisory: https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7
    - fix: https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d

[gopherbot]

Change https://go.dev/cl/590278 mentions this issue: data/reports: add 48 unreviewed reports

[gopherbot]

Change https://go.dev/cl/590282 mentions this issue: data/excluded: add 3 excluded reports