GoogleOSV:GHSA-3244-8MFF-W398Reflected XSS in Gotify's /docs via import of outdated Swagger UI
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
80.2%
Impact
Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files.
Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS incorporating the mutation payload detailed in CVE-2020-26870 which was patched in 2021. This is further tracked in the GitHub Advisory Database as GHSA-QRMM-W75W-3WPX.
An attacker can execute arbitrary JavaScript and potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won’t natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.
Patches
The vulnerability has been fixed in version 2.2.3.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/gotify/server | lt | 2.2.3 |
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
80.2%