CVE-2022-32174

Gogs - XSS

CVSS 9 CRITICALEPSS 58.0%CWE-79

In short

Gogs versions 0.6.5 to 0.12.10 allow attackers to inject malicious scripts that are permanently stored on the site. When other users view the affected page, the scripts execute in their browsers, potentially allowing attackers to steal their accounts.

Technical detail

Stored XSS vulnerability in Gogs allowing persistent injection of malicious JavaScript across multiple user sessions. The vulnerability enables account takeover by capturing session tokens or credentials when victims access contaminated content. Affects versions v0.6.5 through v0.12.10.

Summary generated and translated by AI from the official description.

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected products

gogs · gogs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gogs/gogs/blob/v0.12.10/public/js/gogs.js#L263 https://www.mend.io/vulnerability-database/CVE-2022-32174