Headline
GHSA-xh32-cx6c-cp4v: Gogs XSS allowed by stored call in PDF renderer
Summary
A stored XSS is present in Gogs which allows client-side Javascript code execution.
Details
Gogs Version:
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB
Application version: 0.14.0+dev
Local setup using:
# Pull image from Docker Hub.
docker pull gogs/gogs
# Create local directory for volume.
sudo mkdir -p /var/gogs
# Use `docker run` for the first time.
docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs
The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/.
Read more about this vulnerability at codeanlabs - CVE-2024-4367.
PoC
- Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository.
- Click on the file to be previewed.
Credits
Edoardo Ottavianelli
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.