Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
/gogsPublic

Stored XSS Assignee

Critical
unknwon publishedGHSA-3ghq-jqx4-4c4fFeb 25, 2023

Package

gomodGogs (Go)

Affected versions

< 0.12.11

Patched versions

0.12.11

Description

Impact

DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue assignee list.

Patches

DisplayName is sanitized before upon retrieving from the database. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://nvd.nist.gov/vuln/detail/CVE-2022-32174

For more information

If you have any questions or comments about this advisory, please post on#7145.

Severity

Critical

CVE ID

CVE-2022-32174

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Learn more on MITRE.
[8]ページ先頭
©2009-2025 Movatter.jp