RSSHub Cross-site Scripting vulnerability caused by internal media proxy
- Severity:
- Medium
Description
When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code.
Users who access the deliberately constructed URL are affected.
Recommendation
Update the rsshub package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.0-master.cbbd829, < 1.0.0-master.d8ca915
- Patched version(s): 1.0.0-master.d8ca915
References
Related Issues
- Stimulsoft Dashboard.JS Cross Site Scripting vulnerability - CVE-2024-24396
- Trix has a cross-site Scripting vulnerability on copy & paste - CVE-2024-43368
- SummerNote Cross Site Scripting Vulnerability - CVE-2024-37629
- @urql/next Cross-site Scripting vulnerability - CVE-2024-24556
- Tags:
- npm
- rsshub
Anything's wrong? Let us know Last updated on March 21, 2024