Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-68942

Опубликовано: 26 дек. 2025
Источник: redhat
CVSS3: 5.4
EPSS Низкий

Описание

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

A flaw was found in Gitea. A remote attacker could exploit a Cross-Site Scripting (XSS) vulnerability by injecting malicious scripts into the search input box. This occurs because the application improperly uses v-html instead of v-text for rendering user input. Successful exploitation allows for the execution of arbitrary code in the context of the user's browser, potentially leading to information disclosure or unauthorized actions.

Отчет

This vulnerability is rated Moderate for Red Hat OpenShift Pipelines versions 1.16 and 1.17 due to a Cross-Site Scripting (XSS) flaw in the integrated Gitea component. The flaw allows a remote attacker to inject malicious scripts via the search input, potentially leading to information disclosure or unauthorized actions in the context of the user's browser. OpenShift Pipelines versions 1.18, 1.19, and 1.20 are not affected as the vulnerable code is not present.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2425464gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input

EPSS

Процентиль: 2%
0.00012
Низкий

5.4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-68942

CVSS3: 5.4
ubuntu
3 месяца назад

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

nvd логотип

CVE-2025-68942

CVSS3: 5.4
nvd
3 месяца назад

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

debian логотип

CVE-2025-68942

CVSS3: 5.4
debian
3 месяца назад

Gitea before 1.22.2 allows XSS because the search input box (for creat ...

github логотип

GHSA-898p-hh3p-hf9r

CVSS3: 5.4
github
3 месяца назад

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text

EPSS

Процентиль: 2%
0.00012
Низкий

5.4 Medium

CVSS3