CVE-2024-27926 — RSSHub Cross-site Scripting vulnerability caused by internal media proxy

Description

## Impact When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. ## Patches This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version. ## Workarounds No.

How to fix CVE-2024-27926

To remediate CVE-2024-27926, upgrade the affected package to a fixed version below.

—upgrade to 1.0.0-master.d8ca915 or later

Is CVE-2024-27926 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.0-master.cbbd829, < 1.0.0-master.d8ca915

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27926
PATCHgithub.com/DIYgod/RSSHub
WEBgithub.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87
WEBgithub.com/DIYgod/RSSHub/security/advisories/GHSA-2wqw-hr4f-xrhh