Gogs Stored Cross-Site Scripting Vulnerability in Issue Comments

A stored cross-site scripting vulnerability has been identified in Gogs, an open-source self-hosted Git service, prior to version 0.14.2. This vulnerability allows authenticated users to inject arbitrary JavaScript into issue comments and descriptions. The issue arises because the application's HTML sanitizer permits data URI schemes, which can be exploited to execute malicious scripts. The vulnerability has been patched in version 0.14.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the comment. This could lead to theft of authentication cookies and session tokens, unauthorized actions on behalf of the victim, or redirection to malicious websites.

Reproduction

To reproduce this vulnerability, create a file named 'exploit.md' in a Gogs repository. Add a raw HTML link using a data URI that includes a JavaScript payload, such as a base64-encoded script. After committing and pushing the file, navigate to it in the Gogs web interface and click the link. This will trigger the JavaScript execution, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Gogs version 0.14.2 or later, where this vulnerability has been fixed.