Stored XSS in PDF renderer

Summary

A stored XSS is present in Gogs which allows client-side Javascript code execution.

Details

Gogs Version:

docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
gogs/gogs    latest    fe92583bc4fe   10 hours ago   99.3MB

Application version: 0.14.0+dev

Local setup using:

# Pull image from Docker Hub.
docker pull gogs/gogs
# Create local directory for volume.
sudo mkdir -p /var/gogs
# Use `docker run` for the first time.
docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs

The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/.
Read more about this vulnerability at codeanlabs - CVE-2024-4367.

PoC

Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository.
Click on the file to be previewed.

Credits

Edoardo Ottavianelli

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Stored XSS in PDF renderer

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Credits

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits