Wuhan005

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.12.9 **Description** The issue is related to an XSS vulnerability in the repository issue list of Gogs, an open source self-hosted Git service. In affected versions, the `DisplayName` does not filter characters input from users, leading to an XSS vulnerability when directly displayed in the issue list. Users are advised to upgrade to resolve the issue. For users unable to upgrade, it is recommended to check their users' display names for malicious characters. **Recommendations** For versions prior to 0.12.9, upgrade to 0.12.9 or the latest 0.13.0+dev to resolve the issue. As a temporary workaround, check and update the existing users' display names that contain malicious characters.

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue allows a repository to create a file that can be written to disk outside the base cache folder due to a failure to escape a URI with a filename containing "..". This could enable remote code execution on the host machine running OctoRPKI. The vulnerability is related to directory traversal attacks, where the `ExtractPathManifest` function permits file paths containing relative directory components (".."), allowing files to reference arbitrary locations on the filesystem. For example, a repository could create a file using the `rsync://example.org/repo/../../etc/cron.daily/evil.roa` URI. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.