GHSA-ff28-f46g-r9g8: Cross-site Scripting in Gogs

Impact

The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.

Patches

Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.

Workarounds

Disable uploading SVG files (text/xml) as issue attachments.

References

https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.