Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9. Impact: As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account. Proof of Concept: https://try.gitea.io/cokeBeer/test/src/branch/main/poc.pdf Fix: https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c
XSS -> 4
Fix is in 1.16.9.
XSS requires user interaction, very low impact, so no GLSA.
We've got a bunch of Gitea bugs so we'll GLSA them all together.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89 commit 3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:10:13 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:14 +0000 [ GLSA 202210-14 ] Gitea: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/848465 Bug: https://bugs.gentoo.org/857819 Bug: https://bugs.gentoo.org/868996 Bug: https://bugs.gentoo.org/877355 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-14.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done!
