GHSA-XV6X-456V-24XH

Vulnerability from github – Published: 2022-12-30 00:58 – Updated: 2022-12-30 00:58
VLAI
Summary
gotify/server vulnerable to Cross-site Scripting in the application image file upload
Details

Impact

The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as:

https://push.example.org/image/[alphanumeric string].html

An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.

Patches

The vulnerability has been fixed in version 2.2.2.

Workarounds

You can block access to non image files via a reverse proxy in the ./image directory.

References

https://github.com/gotify/server/pull/534 https://github.com/gotify/server/pull/535

Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.

Severity
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotify/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T00:58:09Z",
    "nvd_published_at": "2022-12-29T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts **if** another user opened a link, such as:\n\n```\nhttps://push.example.org/image/[alphanumeric string].html\n```\n\nAn attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won\u0027t natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.\n\n### Patches\n\nThe vulnerability has been fixed in version 2.2.2.\n\n### Workarounds\n\nYou can block access to non image files via a reverse proxy in the `./image` directory.\n\n### References\n\nhttps://github.com/gotify/server/pull/534\nhttps://github.com/gotify/server/pull/535\n\n---\n\nThanks to rickshang (aka \u65e0\u5728\u65e0\u4e0d\u5728) for discovering and reporting this bug.",
  "id": "GHSA-xv6x-456v-24xh",
  "modified": "2022-12-30T00:58:09Z",
  "published": "2022-12-30T00:58:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46181"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotify/server/pull/534"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotify/server/pull/535"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotify/server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gotify/server vulnerable to Cross-site Scripting in the application image file upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.