CVE-2022-31038 — Cross-site Scripting in Gogs

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)4 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 50.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedJun 9

Latest updateAug 21

Description

Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDgogs/gogs< 0.12.9

▶Gogogs.io/gogs< 0.12.9

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs↗2024-08-21

▶

GHSA

Cross-site Scripting vulnerability in repository issue list in Gogs↗2022-06-08

▶

OSV

Cross-site Scripting vulnerability in repository issue list in Gogs↗2022-06-08

▶