CVE-2022-1464
published 2022-05-05CVE-2022-1464: Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.69%
48.0th percentile
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.12.7 | 0.12.7 |
| gogs | gogs | < 0.12.7 | 0.12.7 |
| gogs | gogs_gogs | >= unspecified < 0.12.7 | 0.12.7 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
cisa5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting in Gogs in gogs.io/gogs
osv·2024-08-21
CVE-2022-1464 Cross-site Scripting in Gogs in gogs.io/gogs
Cross-site Scripting in Gogs in gogs.io/gogs
Cross-site Scripting in Gogs in gogs.io/gogs
OSV
Cross-site Scripting in Gogs
osv·2022-05-24
CVE-2022-1464 [MEDIUM] Cross-site Scripting in Gogs
Cross-site Scripting in Gogs
### Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected.
### Patches
Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.
### Workarounds
[Disable uploading SVG files (`text/xml`) as issue attachments](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284).
### References
https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/
### For more information
If you have any quest
GHSA
Cross-site Scripting in Gogs
ghsa·2022-05-24
CVE-2022-1464 [MEDIUM] CWE-79 Cross-site Scripting in Gogs
Cross-site Scripting in Gogs
### Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected.
### Patches
Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.
### Workarounds
[Disable uploading SVG files (`text/xml`) as issue attachments](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284).
### References
https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/
### For more information
If you have any quest
CISA
Microsoft Windows Spoofing Vulnerability
cisa·2021-11-03·CVSS 5.5
CVE-2020-1464 [HIGH] CWE-347 Microsoft Windows Spoofing Vulnerability
Vulnerability: Microsoft Windows Spoofing Vulnerability
Affected: Microsoft Windows
Microsoft Windows contains a spoofing vulnerability when Windows incorrectly validates file signatures, allowing an attacker to bypass security features and load improperly signed files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1464
Remediation Due Date: 2022-05-03
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-05
Published