CVE-2022-1464

Name of the Vulnerable Software and Affected Versions gogs/gogs versions prior to 0.12.7

Description The issue is a stored XSS bug in the gogs/gogs GitHub repository. This bug allows the execution of any JavaScript code in a victim's account. The vulnerability is triggered when a user opens an attachment in a public repository, allowing any user to view the report and execute the XSS. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 0.12.7, upgrade to 0.12.7 or the latest 0.13.0+dev to resolve the issue. As a temporary workaround, consider disabling the upload of SVG files as issue attachments by correctly setting the Content Security Policy for the serving endpoint.