// For flags

CVE-2022-31038

XSS vulnerability in repository issue list in Gogs

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.

Gogs es un servicio Git de código abierto auto alojado. En versiones de gogs anteriores a 0.12.9 "DisplayName" no filtra la entrada de caracteres de los usuarios, lo que conlleva a una vulnerabilidad de tipo XSS cuando es mostrado directamente en la lista de problemas. Este problema ha sido resuelto en el commit 155cae1d que sanea "DisplayName" antes de mostrarlo al usuario. Es recomendado a todos los usuarios de gogs actualizar. Los usuarios que no puedan actualizarse deberían comprobar si los nombres de pantalla de sus usuarios contienen caracteres maliciosos

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-05-18 CVE Reserved
  • 2022-06-08 CVE Published
  • 2023-12-30 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Gogs
Search vendor "Gogs"
 Gogs
Search vendor "Gogs" for product "Gogs"
 < 0.12.9
Search vendor "Gogs" for product "Gogs" and version " < 0.12.9"
-
Affected