Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.
Patches
Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.
Workarounds
Disable uploading SVG files (text/xml) as issue attachments.
References
https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/
For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.
References
- https://github.com/gogs/gogs/security/advisories/GHSA-ff28-f46g-r9g8
- https://nvd.nist.gov/vuln/detail/CVE-2022-1464
- https://github.com/gogs/gogs/commit/bc77440b301ac8780698be91dff1ac33b7cee850
- https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d
- https://github.com/advisories/GHSA-ff28-f46g-r9g8