Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/librespeed/speedtest: CVE-2024-32890 #2802

Closed
GoVulnBot opened this issue May 1, 2024 · 1 comment
Assignees
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2024-32890 references github.com/librespeed/speedtest, which may be a Go module.

Description:
librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php) and returned in the JSON API (results/json.php). This vulnerability has been introduced in commit 3937b94. This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher which have telemetry enabled and has been addressed in version 5.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/librespeed/speedtest
      vulnerable_at: 0.0.0-20240427131232-dd1ce2cb8830
      packages:
        - package: speedtest
summary: CVE-2024-32890 in github.com/librespeed/speedtest
cves:
    - CVE-2024-32890
references:
    - advisory: https://github.com/librespeed/speedtest/security/advisories/GHSA-3954-xrwh-fq4q
    - fix: https://github.com/librespeed/speedtest/commit/3937b940e80b734acae36cd41a2a31819593e728
    - fix: https://github.com/librespeed/speedtest/commit/dd1ce2cb8830d94dcaa0b8e70b9406144a0e5f8d
source:
    id: CVE-2024-32890

@tatianab tatianab self-assigned this May 2, 2024
@tatianab tatianab added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed possibly not Go labels Jun 5, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

3 participants