Stored xss bug in gogs/gogs
Reported on
Apr 12th 2022
Description
stored xss bug
Proof of Concept
create a public repo and create a issue .
now in issue upload a html file with xss payload inside.
When any user view the repo and click the attachment link then xss is executed .
you can upload https://github.com/ranjit-git/poc/edit/master/evilsvgfile.svg this file also
VIDEO
https://drive.google.com/file/d/11wxTj8ILFLxRe2uoAvQ_39i7Hqa1tWHI/view?usp=sharing
Impact
As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
The patch has landed in https://github.com/gogs/gogs/commit/cb35b73048b91ca32ee89d5b05a09552db8e5faf, but we will only "Mark as fixed" until a new release is published according to security policy (https://github.com/gogs/gogs/blob/main/SECURITY.md).
The patch has been published, thanks again for finding this vulnerability!