GHSA-ff28-f46g-r9g8

Suggest an improvement
Source
https://github.com/advisories/GHSA-ff28-f46g-r9g8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ff28-f46g-r9g8/GHSA-ff28-f46g-r9g8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ff28-f46g-r9g8
Aliases
Published
2022-05-24T20:48:14Z
Modified
2024-08-21T15:42:03.121316Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in Gogs
Details

Impact

The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.

Patches

Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.

Workarounds

Disable uploading SVG files (text/xml) as issue attachments.

References

https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.

Database specific 
{
    "nvd_published_at": "2022-05-05T14:15:00Z",
    "github_reviewed_at": "2022-05-24T20:48:14Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.7