Описание
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Ссылки
- Patch
- Issue Tracking
- Release Notes
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.14.2 (исключая)
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
EPSS
Процентиль: 2%
0.00013
Низкий
8.7 High
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 8.7
github
около 1 месяца назад
Gogs: Stored XSS via data URI in issue comments
EPSS
Процентиль: 2%
0.00013
Низкий
8.7 High
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-79