You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php) and returned in the JSON API (results/json.php). This vulnerability has been introduced in commit 3937b94. This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher which have telemetry enabled and has been addressed in version 5.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-32890 references github.com/librespeed/speedtest, which may be a Go module.
Description:
librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The
processedString
field in theispinfo
parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php
) and returned in the JSON API (results/json.php
). This vulnerability has been introduced in commit 3937b94. This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher which have telemetry enabled and has been addressed in version 5.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: