Skip to content

Stored XSS Assignee

Critical
unknwon published GHSA-3ghq-jqx4-4c4f Feb 25, 2023

Package

gomod Gogs (Go)

Affected versions

< 0.12.11

Patched versions

0.12.11

Description

Impact

DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue assignee list.

Patches

DisplayName is sanitized before upon retrieving from the database. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://nvd.nist.gov/vuln/detail/CVE-2022-32174

For more information

If you have any questions or comments about this advisory, please post on #7145.

Severity

Critical

CVE ID

CVE-2022-32174

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.