CVE-2022-24739 Information

Jun 07, 2022 cve

Description

alltube is an html front end for youtube-dl. On releases prior to 3.0.3 an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the stream option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e8d https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: