Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31038

Good to know:

icon

Date: June 8, 2022

Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 "DisplayName" does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes "DisplayName" prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.

Language: Go

Severity Score

Related Resources (7)

https://github.com/gogs/gogs/releases/tag/v0.12.9
https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee
https://github.com/gogs/gogs
https://nvd.nist.gov/vuln/detail/CVE-2022-31038
https://github.com/gogs/gogs/pull/7009
https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2
https://www.mend.io/vulnerability-database/CVE-2022-31038

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

icon

Upgrade Version

Upgrade to version gogs.io/gogs - v0.12.9

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us