cbcvebase.
CVE-2024-6886
published 2024-08-06

CVE-2024-6886: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored…

PriorityP273critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
40.32%
98.5th percentile
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.22.11.22.1
giteagitea_open_source_git_server

Detection & IOCsextracted from sources · hover to see the quote

path/$username/$repo_name/settings
commandPOST /user/login HTTP/1.1 Content-Type: application/x-www-form-urlencoded user_name={{username}}&password={{password}}
commandPOST /repo/create HTTP/1.1 Content-Type: application/x-www-form-urlencoded repo_name={{randstr}}&description=XSS&_csrf={{csrf_token}}&uid={{uid_name}}
  • Monitor POST requests to /repo/create containing a `description` parameter with script/XSS payloads (e.g., containing '<' or 'javascript:') from authenticated sessions.
  • Monitor POST requests to /$username/$repo_name/settings where the Description field contains HTML/script injection payloads; this is the injection point for the stored XSS.
  • Extract and monitor the _csrf token regex pattern `name="_csrf" value="([^"]+)"` in responses; its presence being harvested in automated requests is a sign of exploit tooling targeting this CVE.
  • The exploit requires authentication; look for a login POST to /user/login followed immediately by GET /{{username}} and then POST /repo/create — this sequence in logs is characteristic of automated exploitation.
  • ·Vulnerability is strictly limited to Gitea Open Source Git Server version 1.22.0; no other versions are confirmed affected by this CVE.
  • ·Exploitation requires an authenticated attacker with at least repository creation or settings-modification privileges; unauthenticated exploitation is not possible.
  • ·The Gitea Go SDK (client library) is NOT affected; only the Gitea server application itself is vulnerable.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.