4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
github.com/gogits/gogs is vulnerable to cross-site scripting (XSS) attacks. The library does not sanitize markdown before rendering it, allowing an attacker to execute arbitrary code via markdown comments.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/gogits/gogs | eq | HEAD | |
github.com/gogits/gogs | le | 0.5.5 |
gogs.io/docs/intro/change_log.html
packetstormsecurity.com/files/129118/Gogs-Markdown-Renderer-Cross-Site-Scripting.html
seclists.org/bugtraq/2014/Nov/79
seclists.org/fulldisclosure/2014/Nov/34
www.securityfocus.com/archive/1/533996/100/0/threaded
www.securityfocus.com/archive/1/archive/1/533996/100/0/threaded
exchange.xforce.ibmcloud.com/vulnerabilities/98693