Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored XSS Assignee #7145

Closed
danielelkabes opened this issue Aug 22, 2022 · 6 comments · Fixed by #7353
Closed

Stored XSS Assignee #7145

danielelkabes opened this issue Aug 22, 2022 · 6 comments · Fixed by #7353
Assignees
@unknwon
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Milestone
0.12.11

Comments

@danielelkabes
Copy link

danielelkabes commented Aug 22, 2022
edited

Describe the bug

Stored Cross-Site Scripting (XSS) in the select assignee component | Mend

Additional context

Hi team, following your security policy request for sharing high-level vulnerability information, you can find it below.

Full report sent in mail to security@gogs.io.

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover, in the select assignee component. When an admin selects an assignee from the user’s list, the malicious JavaScript payload in the first name executes that allows an attacker to gain admin privileges.

Contact: vulnerability@mend.io or daniel.elkabes@mend.io
@danielelkabes danielelkabes added the 💊 bug Something isn't working label Aug 22, 2022
@danielelkabes
Copy link
Author

Hi team and @unknwon , attaching to the issue our disclosure policy that we already sent in email - https://www.mend.io/vulnerability-database/disclosure-policy/

@danielelkabes danielelkabes changed the title Stored XSS Assignee Security Vulnerability - Stored XSS Assignee Oct 24, 2022
@danielelkabes
Copy link
Author

Hi team,

Disclosure timeline has passed and there was no response in mails or in the issue, as of that we opened a CVE ID:

CVE ID - https://nvd.nist.gov/vuln/detail/CVE-2022-32174

Sincerely,

@unknwon unknwon added this to the 0.12.11 milestone Oct 24, 2022
@unknwon unknwon self-assigned this Feb 14, 2023
@unknwon unknwon mentioned this issue Feb 14, 2023
Merged
3 tasks
@unknwon
Copy link
Member

unknwon commented Feb 14, 2023
edited

The patch has landed on 0.13.0+dev and will be back-ported to 0.12.11 (no ETA).

Thanks again for reporting!

@Furgas
Copy link

Furgas commented Feb 25, 2023

Why not change underlined parts to $(this).html()? Just in case sanitization won't work.

text

@unknwon
Copy link
Member

unknwon commented Feb 25, 2023

I want to avoid touching the ancient gogs.js file as much as possible... 😁 until being able to migrate to a modern frontend technologies like ReactJS.

@unknwon unknwon added the 🔒 security Categorizes as related to security label Feb 25, 2023
@unknwon unknwon changed the title Security Vulnerability - Stored XSS Assignee Stored XSS Assignee Feb 25, 2023
@unknwon
Copy link
Member

unknwon commented Feb 25, 2023

The 0.12.11 has been released that includes the patch of the reported issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@unknwon unknwon

Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Projects
Gogs Roadmap
Status: Done
Milestone
0.12.11
Development

Successfully merging a pull request may close this issue.

fix(db): sanitize user full name after find gogs/gogs
3 participants
@Furgas @unknwon @danielelkabes