Описание
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
A flaw was found in Gitea. A remote attacker could exploit this vulnerability by injecting a forbidden URL scheme, such as javascript:, into a link. This could lead to Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary code in the user's browser or disclose sensitive information.
Отчет
This vulnerability is rated Moderate. In the Red Hat context, all listed OpenShift Pipelines components are not affected as the vulnerable code is not present.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can ...
EPSS
5.4 Medium
CVSS3