CVE-2024-27926

MEDIUM6.1EPSS 1.0%

RSSHub Cross-site Scripting vulnerability caused by internal media proxy

發布日:2024/3/6修改日:2024/3/21

描述

## Impact When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. ## Patches This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version. ## Workarounds No.

受影響套件(1)

npm/rsshub>= 1.0.0-master.cbbd829, < 1.0.0-master.d8ca915

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-27926
PATCHhttps://github.com/DIYgod/RSSHub
WEBhttps://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87
WEBhttps://github.com/DIYgod/RSSHub/security/advisories/GHSA-2wqw-hr4f-xrhh