CVE-2022-31038
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 DisplayName does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes DisplayName prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gogs | gogs | < 0.12.9 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2
- https://github.com/gogs/gogs/pull/7009
- https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2
- https://github.com/gogs/gogs/pull/7009
- https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.