CVE-2024-51498

Nov. 5, 2024, 4:04 p.m.

None
No Score

Description

cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the `javascript:` protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit `66bac03e`, was mitigated in commit `97977efa` (correctly configured web instances were no longer vulnerable) and fully fixed in commit `c4be1d3a` (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.

Product(s) Impacted

Product Versions
cobalt
  • 10.2.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/imputnet/cobalt/commit/66bac03e3078e4e781d2d3903c05ad66a883a354
https://github.com/imputnet/cobalt/commit/97977efabd92375f270d1818f38de3b0682c2f19
https://github.com/imputnet/cobalt/commit/c4be1d3a37b0deb6b6087ec7a815262ac942daf1
https://github.com/imputnet/cobalt/security/advisories/GHSA-cm4c-v4cm-3735

Tags

security-advisories@github.com
CWE-79
2024-11-05
CVE-2024-51498

Timeline

Published: Nov. 5, 2024, 12:15 a.m.
Last Modified: Nov. 5, 2024, 4:04 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.