CVE-2018-17031

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-17031

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17031.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-17031

Aliases

Published

2018-09-14T02:29:00.390Z

Modified

2026-04-10T04:06:54.070410Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.

References

https://github.com/gogs/gogs/issues/5397

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type

GIT

Repo

https://github.com/gogs/gogs

Events

Introduced

Last affected

91441c3fb29d8ead645d8fffa4658d749d5b3fc3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.11.53"
        }
    ]
}

Affected versions

v0.*

v0.10

v0.10.18

v0.10.8

v0.10rc

v0.11

v0.11.19

v0.11.29

v0.11.33

v0.11.34

v0.11.4

v0.11.43

v0.11.53

v0.11rc

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.11

v0.5.13

v0.5.2

v0.5.5

v0.5.8

v0.5.9

v0.6.1

v0.6.15

v0.6.3

v0.6.9

v0.7.0

v0.7.19

v0.7.22

v0.7.33

v0.7.6

v0.8.0

v0.8.10

v0.8.25

v0.8.43

v0.9.0

v0.9.113

v0.9.128

v0.9.13

v0.9.141

v0.9.46

v0.9.48

v0.9.60

v0.9.71

v0.9.97

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17031.json"