Описание
Cross-site Scripting in Gogs
Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.
Patches
Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.
Workarounds
Disable uploading SVG files (text/xml) as issue attachments.
References
https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/
For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.
Пакеты
gogs.io/gogs
< 0.12.7
0.12.7
Связанные уязвимости
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .