CVE-2022-1464: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 24, 2022

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public, any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

References

github.com/advisories/GHSA-ff28-f46g-r9g8
github.com/gogs/gogs/commit/bc77440b301ac8780698be91dff1ac33b7cee850
github.com/gogs/gogs/security/advisories/GHSA-ff28-f46g-r9g8
huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d
nvd.nist.gov/vuln/detail/CVE-2022-1464

Code Behaviors & Features

Detect and mitigate CVE-2022-1464 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →