Описание
Gogs XSS allowed by stored call in PDF renderer
Summary
A stored XSS is present in Gogs which allows client-side Javascript code execution.
Details
Gogs Version:
Application version: 0.14.0+dev
Local setup using:
The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/.
Read more about this vulnerability at codeanlabs - CVE-2024-4367.
PoC
- Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository.
- Click on the file to be previewed.
Credits
Edoardo Ottavianelli
Ссылки
- https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
- https://nvd.nist.gov/vuln/detail/CVE-2025-47943
- https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40
- https://github.com/gogs/gogs/releases/tag/v0.13.3
- https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf
Пакеты
github.com/gogs/gogs
< 0.13.3-0.20250608224432-110117b2e5e5
0.13.3-0.20250608224432-110117b2e5e5
gogs.io/gogs
< 0.13.3-0.20250608224432-110117b2e5e5
0.13.3-0.20250608224432-110117b2e5e5
Связанные уязвимости
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.