mirror of
https://github.com/scottlamb/moonfire-nvr.git
synced 2024-12-25 22:55:55 -05:00
4c9aa93fdf
This fixes a real cross-site WebSocket hijacking (CSWSH) vulnerability. If the attacker knows the URL of an NVR installation this user is authenticated to and the UUID of a camera, and can trick the user into visiting their webpage, they can grab the live stream. At least there's some entropy in the camera UUID, but it was never intended to be a secret. |
||
|---|---|---|
| .. | ||
| base | ||
| db | ||
| src | ||
| Cargo.lock | ||
| Cargo.toml | ||