CVE-2022-31038

Опубликовано: 09 июн. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 DisplayName does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes DisplayName prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.

Ссылки

https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee
Patch
Third Party Advisory
https://github.com/gogs/gogs/pull/7009
Issue Tracking
Third Party Advisory
https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2
Issue Tracking
Third Party Advisory
https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee
Patch
Third Party Advisory
https://github.com/gogs/gogs/pull/7009
Issue Tracking
Third Party Advisory
https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

Версия до 0.12.9 (исключая)

EPSS

Процентиль: 49%

0.00263

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-xq4v-vrp9-vcf2