CVE-2022-31038 (GCVE-0-2022-31038)
Vulnerability from cvelistv5 – Published: 2022-06-08 17:40 – Updated: 2025-04-23 18:18
VLAI?
Summary
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gogs/gogs/pull/7009"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:05:54.052360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:18:26.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.12.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T17:40:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/7009"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee"
}
],
"source": {
"advisory": "GHSA-xq4v-vrp9-vcf2",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in repository issue list in Gogs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31038",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in repository issue list in Gogs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gogs",
"version": {
"version_data": [
{
"version_value": "\u003c 0.12.9"
}
]
}
}
]
},
"vendor_name": "gogs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2",
"refsource": "CONFIRM",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2"
},
{
"name": "https://github.com/gogs/gogs/pull/7009",
"refsource": "MISC",
"url": "https://github.com/gogs/gogs/pull/7009"
},
{
"name": "https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee",
"refsource": "MISC",
"url": "https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee"
}
]
},
"source": {
"advisory": "GHSA-xq4v-vrp9-vcf2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31038",
"datePublished": "2022-06-08T17:40:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:18:26.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.12.9\", \"matchCriteriaId\": \"4DAD0C2A-2575-4160-90B2-D024A0A41B0A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters.\"}, {\"lang\": \"es\", \"value\": \"Gogs es un servicio Git de c\\u00f3digo abierto auto alojado. En versiones de gogs anteriores a 0.12.9 \\\"DisplayName\\\" no filtra la entrada de caracteres de los usuarios, lo que conlleva a una vulnerabilidad de tipo XSS cuando es mostrado directamente en la lista de problemas. Este problema ha sido resuelto en el commit 155cae1d que sanea \\\"DisplayName\\\" antes de mostrarlo al usuario. Es recomendado a todos los usuarios de gogs actualizar. Los usuarios que no puedan actualizarse deber\\u00edan comprobar si los nombres de pantalla de sus usuarios contienen caracteres maliciosos\"}]",
"id": "CVE-2022-31038",
"lastModified": "2024-11-21T07:03:45.870",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2022-06-09T17:15:09.917",
"references": "[{\"url\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/7009\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/7009\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-31038\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-09T17:15:09.917\",\"lastModified\":\"2024-11-21T07:03:45.870\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters.\"},{\"lang\":\"es\",\"value\":\"Gogs es un servicio Git de c\u00f3digo abierto auto alojado. En versiones de gogs anteriores a 0.12.9 \\\"DisplayName\\\" no filtra la entrada de caracteres de los usuarios, lo que conlleva a una vulnerabilidad de tipo XSS cuando es mostrado directamente en la lista de problemas. Este problema ha sido resuelto en el commit 155cae1d que sanea \\\"DisplayName\\\" antes de mostrarlo al usuario. Es recomendado a todos los usuarios de gogs actualizar. Los usuarios que no puedan actualizarse deber\u00edan comprobar si los nombres de pantalla de sus usuarios contienen caracteres maliciosos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.12.9\",\"matchCriteriaId\":\"4DAD0C2A-2575-4160-90B2-D024A0A41B0A\"}]}]}],\"references\":[{\"url\":\"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gogs/gogs/pull/7009\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gogs/gogs/pull/7009\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/7009\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:03:40.294Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:05:54.052360Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:05:55.442Z\"}}], \"cna\": {\"title\": \"XSS vulnerability in repository issue list in Gogs\", \"source\": {\"advisory\": \"GHSA-xq4v-vrp9-vcf2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.12.9\"}]}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/7009\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-06-08T17:40:11.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, \"source\": {\"advisory\": \"GHSA-xq4v-vrp9-vcf2\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 0.12.9\"}]}, \"product_name\": \"gogs\"}]}, \"vendor_name\": \"gogs\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-xq4v-vrp9-vcf2\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/gogs/gogs/pull/7009\", \"name\": \"https://github.com/gogs/gogs/pull/7009\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"name\": \"https://github.com/gogs/gogs/commit/155cae1de8916fc3fde78f350763034b7422caee\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users\u0027 display names for malicious characters.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31038\", \"STATE\": \"PUBLIC\", \"TITLE\": \"XSS vulnerability in repository issue list in Gogs\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-31038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T18:18:26.561Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-06-08T17:40:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…