Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-6886 — Cross-site Scripting in Gitea

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

10.0CRITICALNVD

EPSS

25.2%

top 3.80%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Code.gitea.io Gitea Gitea Open Source GIT Server

Timeline

PublishedAug 6

Latest updateAug 28

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

▶CVEListV5gitea/gitea_open_source_git_server1.22.0

▶Gocode.gitea.io/gitea< 1.22.1

🔴Vulnerability Details

GHSA

Gitea Cross-site Scripting Vulnerability↗2024-08-06

▶

OSV

Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea↗2024-08-06

▶

OSV

Gitea Cross-site Scripting Vulnerability↗2024-08-06

▶

💥Exploits & PoCs

Exploit-DB

Gitea 1.22.0 - Stored XSS↗2024-08-28

▶

Nuclei

Gitea 1.22.0 - Cross-Site Scripting

▶

📋Vendor Advisories

Red Hat

Gitea: Stored XSS due to improper sanitization↗2024-07-09

▶