Vulnerability Description
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gogs | Gogs | < 0.12.9 |
Related Weaknesses (CWE)
References
- https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caeePatchThird Party Advisory
- https://github.com/gogs/gogs/pull/7009Issue TrackingThird Party Advisory
- https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2Issue TrackingThird Party Advisory
- https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caeePatchThird Party Advisory
- https://github.com/gogs/gogs/pull/7009Issue TrackingThird Party Advisory
- https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2Issue TrackingThird Party Advisory
FAQ
What is CVE-2022-31038?
CVE-2022-31038 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly display...
How severe is CVE-2022-31038?
CVE-2022-31038 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31038?
Check the references section above for vendor advisories and patch information. Affected products include: Gogs Gogs.