Closed
Description
In GitHub Security Advisory GHSA-ff28-f46g-r9g8, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| gogs.io/gogs | 0.12.7 | < 0.12.7 |
See doc/triage.md for instructions on how to triage this report.
packages:
- package: gogs.io/gogs
versions:
- fixed: 0.12.7
description: |
### Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected.
### Patches
Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.
### Workarounds
[Disable uploading SVG files (`text/xml`) as issue attachments](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284).
### References
https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/
### For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.
published: 2022-05-24T20:48:14Z
last_modified: 2022-05-24T20:48:17Z
cves:
- CVE-2022-1464
ghsas:
- GHSA-ff28-f46g-r9g8
links:
context:
- https://github.com/advisories/GHSA-ff28-f46g-r9g8