Stored XSS Assignee

[danielelkabes]

Describe the bug

Stored Cross-Site Scripting (XSS) in the select assignee component | Mend

Additional context

Hi team, following your security policy request for sharing high-level vulnerability information, you can find it below.

Full report sent in mail to security@gogs.io.

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover, in the select assignee component. When an admin selects an assignee from the user’s list, the malicious JavaScript payload in the first name executes that allows an attacker to gain admin privileges.

Contact: vulnerability@mend.io or daniel.elkabes@mend.io

[danielelkabes]

Hi team and @unknwon , attaching to the issue our disclosure policy that we already sent in email - https://www.mend.io/vulnerability-database/disclosure-policy/

[danielelkabes]

Hi team,

Disclosure timeline has passed and there was no response in mails or in the issue, as of that we opened a CVE ID:

CVE ID - https://nvd.nist.gov/vuln/detail/CVE-2022-32174

Sincerely,

[unknwon]

The patch has landed on 0.13.0+dev and will be back-ported to 0.12.11 (no ETA).

Thanks again for reporting!

[Furgas]

Why not change underlined parts to $(this).html()? Just in case sanitization won't work.

[unknwon]

I want to avoid touching the ancient gogs.js file as much as possible... 😁 until being able to migrate to a modern frontend technologies like ReactJS.