gogs icon indicating copy to clipboard operation
gogs copied to clipboard
verified publisher icon gogs

Stored XSS Assignee

Open danielelkabes opened this issue 3 years ago • 1 comments

Describe the bug

Stored Cross-Site Scripting (XSS) in the select assignee component | Mend

Additional context

Hi team, following your security policy request for sharing high-level vulnerability information, you can find it below.

Full report sent in mail to [email protected].

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover, in the select assignee component. When an admin selects an assignee from the user’s list, the malicious JavaScript payload in the first name executes that allows an attacker to gain admin privileges.

Contact: [email protected] or [email protected]

danielelkabes avatar Aug 22 '22 09:08 danielelkabes

Hi team and @unknwon , attaching to the issue our disclosure policy that we already sent in email - https://www.mend.io/vulnerability-database/disclosure-policy/

danielelkabes avatar Sep 04 '22 07:09 danielelkabes

Hi team,

Disclosure timeline has passed and there was no response in mails or in the issue, as of that we opened a CVE ID:

CVE ID - https://nvd.nist.gov/vuln/detail/CVE-2022-32174

Sincerely,

danielelkabes avatar Oct 24 '22 12:10 danielelkabes

The patch has landed on 0.13.0+dev and will be back-ported to 0.12.11 (no ETA).

Thanks again for reporting!

unknwon avatar Feb 14 '23 13:02 unknwon

Why not change underlined parts to $(this).html()? Just in case sanitization won't work.

text

Furgas avatar Feb 25 '23 07:02 Furgas

I want to avoid touching the ancient gogs.js file as much as possible... 😁 until being able to migrate to a modern frontend technologies like ReactJS.

unknwon avatar Feb 25 '23 07:02 unknwon

The 0.12.11 has been released that includes the patch of the reported issue.

unknwon avatar Feb 25 '23 08:02 unknwon