CVE-2024-51498
- Source
- https://cve.org/CVERecord?id=CVE-2024-51498
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-51498.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-51498
- Aliases
-
- GHSA-cm4c-v4cm-3735
- Published
- 2024-11-04T23:07:17.704Z
- Modified
- 2025-12-01T17:47:15.304320Z
- Severity
-
- 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- [@imput/cobalt-web] Cross-site Scripting when downloading picker image from malicious instance
- Details
-
cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the
javascript:protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit66bac03e, was mitigated in commit97977efa(correctly configured web instances were no longer vulnerable) and fully fixed in commitc4be1d3a(included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy. - Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51498.json", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51498.json
- https://github.com/imputnet/cobalt/commit/66bac03e3078e4e781d2d3903c05ad66a883a354
- https://github.com/imputnet/cobalt/commit/97977efabd92375f270d1818f38de3b0682c2f19
- https://github.com/imputnet/cobalt/commit/c4be1d3a37b0deb6b6087ec7a815262ac942daf1
- https://github.com/imputnet/cobalt/security/advisories/GHSA-cm4c-v4cm-3735
- https://nvd.nist.gov/vuln/detail/CVE-2024-51498