Headline
CVE-2022-46181: Only serve image files on ./image by jmattheis · Pull Request #535 · gotify/server
Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts if another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won’t natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the ./image directory.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Pick a username
Email Address
Password
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Related news
### Impact The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts **if** another user opened a link, such as: ``` https://push.example.org/image/[alphanumeric string].html ``` An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. ### Patches The vulnerability has been fixed in version 2.2.2. ### Workarounds You can block access to non image files via a reverse proxy in the `./image` directory. ### References https://github.com/gotify/server/pull/534 https://github.com/gotify/server/pull/535 --- Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.