Vulners
Lucene search
Gogs Markdown Renderer Cross Site Scripting
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Gogs Markdown Renderer Cross Site Scripting Vulnerability | 16 Nov 201400:00 | – | zdt |
 | CVE-2014-8683 | 21 Nov 201415:00 | – | cve |
 | CVE-2014-8683 | 21 Nov 201415:00 | – | cvelist |
 | EUVD-2021-1303 | 7 Oct 202500:30 | – | euvd |
 | Cross-site Scripting in Gogs | 29 Jun 202118:32 | – | github |
 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 29 Jun 202100:00 | – | gitlab |
 | CVE-2014-8683 | 21 Nov 201415:59 | – | nvd |
 | Gogs >= 0.3.1, < 0.5.8 Multiple Vulnerabilities | 6 Feb 201500:00 | – | openvas |
 | GHSA-9HX4-QM7H-X84J Cross-site Scripting in Gogs | 29 Jun 202118:32 | – | osv |
| GO-2022-0642 Cross-site Scripting in Gogs in gogs.io/gogs | 21 Aug 202415:21 | – | osv |
10
`
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
XSS in Gogs Markdown Renderer
=============================
Researcher: Timo Schmid <[email protected]>
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides two api views to transform markdown into HTML at the urls
/api/v1/markdown and /api/v1/markdown/raw
The transformation is vulnerable to XSS.
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
CVSS Base Score
===============
4.3 (AV:N / AC:M / Au:N / C:P / I:N / A:N)
CVE-ID
======
CVE-2014-8683
Impact
======
The vulnerability could be used together with social engineering attacks
to gain
access to restricted resources by extracting authentication tokens from
cookies
or by executing commands in the context of the logged in victim.
Status
======
Not fixed
Vulnerable Code Section
=======================
models/issue.go:
[...]
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix)
return body
}
func RenderMarkdownString(raw, urlPrefix string) string {
return string(RenderMarkdown([]byte(raw), urlPrefix))
}
[...]
Proof of Concept
================
Form to trigger XSS:
<form action="http://example.com/api/v1/markdown" method="post">
<input name="text" value="<img
onerror="alert("XSS")
" src="x">">
<input type="submit">
</form>
Response:
<p><img onerror="alert("XSS")" src="x"></p>
Solution
========
The markdown processing should reject or filter any HTML input and
process only
markdown content.
Affected Versions
=================
>= v0.3.1-9-g49dc57e
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-14: CVE-ID assigned
Credits
=======
Pascal Turbing <[email protected]>
Jiahua (Joe) Chen <[email protected]>
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[4] https://www.ernw.de/download/BC-1404.txt
Advisory-ID
===========
BC-1404
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
- --
Timo Schmid
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAwAGBQJUZlGDAAoJEHq2kn1vJmzgr28H/20Yb2h9Wj7eUD7/L8jggNVz
QISEQYsS6tuUGM59fYNRj7qGa/PnX5biaW3qD2Zy3erS+CfO4pFOGMZcjFSyNrL5
sFZmVAYftGnPLYTFh2Wt4iV3Yx3CgPzdlYZFSqXDynw5xWokSTqnlquwiUrIG1JW
45CYitwsTd9KzaoCMzeQeiPbSbjrZ+kQyM6+iMuBTqyfpbIf1A4kpJi0sULEU/a2
fMPUmlFoFBSlIfxUXKY8sRcritZHI9GiMnVOGsHxtW3RSszP3MfNDu0uJ4AaAHRF
3J1AH2DCuKrig9rMxUWzI3RrogOc5HrQYIIhM2gv8E7W2xkP4Ypozxwaw7JwBS4=
=uWDU
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Nov 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.01909