Login Sign Up

CVE-2021-39183

8.2 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability in Owncast allows cross-site scripting (XSS) attacks when users paste content containing inline JavaScript. Attackers can execute arbitrary scripts in victims' browsers, potentially stealing session cookies or performing actions on their behalf. All Owncast instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Owncast
Versions: Versions before 0.0.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. The vulnerability requires user interaction (pasting content) but no authentication.

📦 What is this software?

Owncast by Owncast Project

View all CVEs affecting Owncast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and unauthorized administrative actions on the Owncast server.

🟠

Likely Case

Session hijacking leading to unauthorized access to the streaming platform, potential data exfiltration, and defacement of chat/content.

🟢

If Mitigated

Limited impact with proper Content Security Policy headers blocking inline script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires tricking users into pasting malicious content but is straightforward once that condition is met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.9

Vendor Advisory: https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p

Restart Required: Yes

Instructions:

1. Backup your Owncast configuration and data. 2. Stop the Owncast service. 3. Update to version 0.0.9 or later. 4. Restart the Owncast service. 5. Verify the Content Security Policy headers are properly set.

🔧 Temporary Workarounds

Manual CSP Header Configuration

all

Manually configure Content Security Policy headers to block unsafe-inline scripts

Configure web server (nginx/apache) to add: Content-Security-Policy: script-src 'self'; worker-src blob:

🧯 If You Can't Patch

  • Implement strict Content Security Policy headers at the web server level
  • Disable user-generated content/pasting functionality in Owncast configuration

🔍 How to Verify

Check if Vulnerable:

Check Owncast version: if version < 0.0.9, you are vulnerable. Also check if Content-Security-Policy headers allow 'unsafe-inline'.

Check Version:

Check Owncast web interface admin panel or run: ./owncast --version

Verify Fix Applied:

Verify version is 0.0.9 or higher and check HTTP response headers for proper Content-Security-Policy without 'unsafe-inline'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual paste events with script tags
  • Multiple failed login attempts from new locations
  • Administrative actions from unexpected user sessions

Network Indicators:

  • HTTP requests containing malicious script payloads in POST data
  • Unusual outbound connections from Owncast server

SIEM Query:

source="owncast.log" AND ("<script" OR "javascript:" OR "onpaste=")

📊 Metadata

CVE ID: CVE-2021-39183
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
CWE: CWE-79
Published: December 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39183, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)