x/vulndb: potential Go vuln in github.com/AlexxIT/go2rtc: GHSA-wv8x-3w6r-6h7v

[GoVulnBot]

Advisory GHSA-wv8x-3w6r-6h7v references a vulnerability in the following Go modules:

Module
github.com/AlexxIT/go2rtc

Description:
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The links page (links.html) appends the src GET parameter ([0]) in all of its links for 1-click previews. The context in which src is being appended is innerHTML ([1]), which will insert the text as HTML. Commit 3b3d5b033aac3a019af64f83dec84f70ed2c8aba contains a patch for the issue.

References:

• ADVISORY: GHSA-wv8x-3w6r-6h7v
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-29191
• FIX: AlexxIT/go2rtc@3b3d5b0
• WEB: https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/AlexxIT/go2rtc
      versions:
        - fixed: 1.9.0
      vulnerable_at: 1.8.5
summary: gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc
cves:
    - CVE-2024-29191
ghsas:
    - GHSA-wv8x-3w6r-6h7v
references:
    - advisory: https://github.com/advisories/GHSA-wv8x-3w6r-6h7v
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29191
    - fix: https://github.com/AlexxIT/go2rtc/commit/3b3d5b033aac3a019af64f83dec84f70ed2c8aba
    - web: https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc
source:
    id: GHSA-wv8x-3w6r-6h7v
    created: 2024-08-05T23:01:16.709933674Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

[gopherbot]

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports