logo

Database

Server side cross-site scripting In gogs.io/gogs

Description

Cross-site Scripting in Gogs

Impact

The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.

Patches

Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.

Workarounds

Disable uploading SVG files (text/xml) as issue attachments.

References

https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-14642. NVD-2022-14643. OSV-2022-14644. GHSA-ff28-f46g-r9g85. GCVE-2022-1464

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-ff28-f46g-r9g82. https://github.com/gogs/gogs/commit/bc77440b301ac8780698be91dff1ac33b7cee8503. https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.