CVE-2024-27926 – rsshub

Package

Manager: npm
Name: rsshub
Vulnerable Version: >=1.0.0-master.cbbd829 <1.0.0-master.d8ca915

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00275 pctl0.50602

Details

RSSHub Cross-site Scripting vulnerability caused by internal media proxy ## Impact When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. ## Patches This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version. ## Workarounds No.

Metadata

Created: 2024-03-06T17:02:34Z
Modified: 2024-03-21T18:25:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2wqw-hr4f-xrhh/GHSA-2wqw-hr4f-xrhh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2wqw-hr4f-xrhh
Finding: F008
Auto approve: 1