Stored xss bug in go-gitea/gitea
May 6th 2022
stored xss bug
Proof of Concept
I created a repository on
try.gitea.io and uploaded a pdf file containing xss vector.
Just click the "Raw" button The xss vector will be triggered
prohibit viewing pdf directly by browser's default viewer