CVE-2024-51498 Information

Description

cobalt is a media downloader that doesn’t piss you off. A malicious cobalt instance could serve links with the javascript: protocol resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit 66bac03e was mitigated in commit 97977efa (correctly configured web instances were no longer vulnerable) and fully fixed in commit c4be1d3a (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.

Reference

https://github.com/imputnet/cobalt/security/advisories/GHSA-cm4c-v4cm-3735 https://github.com/imputnet/cobalt/commit/66bac03e3078e4e781d2d3903c05ad66a883a354 https://github.com/imputnet/cobalt/commit/97977efabd92375f270d1818f38de3b0682c2f19 https://github.com/imputnet/cobalt/commit/c4be1d3a37b0deb6b6087ec7a815262ac942daf1