CVE-2022-31038: XSS
First published: Thu Jun 09 2022(Updated: )
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gogs Gogs | <0.12.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-31038?
CVE-2022-31038 is an XSS vulnerability in Gogs, an open source self-hosted Git service, prior to version 0.12.9.
How does CVE-2022-31038 affect Gogs?
CVE-2022-31038 allows attackers to perform cross-site scripting (XSS) attacks when inputting characters into the DisplayName field of Gogs, which can be directly displayed in the issue list.
What is the severity of CVE-2022-31038?
CVE-2022-31038 has a severity rating of medium with a CVSS score of 5.4.
How can I fix CVE-2022-31038?
To fix CVE-2022-31038, update Gogs to version 0.12.9 or later, which includes a fix for the XSS vulnerability in the DisplayName field.
Where can I find more information about CVE-2022-31038?
More information about CVE-2022-31038 can be found in the following references: [GitHub commit](https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee), [GitHub pull request](https://github.com/gogs/gogs/pull/7009), [GitHub Security Advisory](https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2).
- collector/nvd-index
- vendor/gogs
- canonical/gogs gogs