From $URL: From the reporter: ---- I am reporting a persistent xss vector in gitweb, note this requires a user to have commit access to a repository that gitweb is configured to display. The vector is the fact that gitweb "serves" up xml files - which can (just as gitweb does) embed html that could be used to perform a cross-site scripting attack. e.g. (lol.xml). <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head> </head> <script>alert(1);</script> </html> and viewed at http://$HOSTNAME/$PATH_TO_GITWEB/?p=lolok;a=blob_plain;f=lol.xml ----
security: Which versions of Git are affected by this? I don't see any mention in the Git logs of this CVE.
This would not be fixed as upstream says, however, that have talked about changing default value of prevent_xss from 0 to 1(if it is set to 1 - issue is gone), so from 1.6.*(when prevent_xss was introduced, not sure in which minor version) users can workaround this bug.
per the previous comment this issue is something the user can work around locally. most importantly, commit access must be granted in order for the XSS to be effective