-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| code.gitea.io/gitea | go | >= 1.7.2, < 1.7.4 | 1.7.4 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from improper HTML sanitization in repository descriptions. The commit diff shows the vulnerable version used descPattern.ReplaceAllStringFunc with a sanitize function that wrapped URLs in anchor tags but didn't properly handle all XSS vectors. The patch replaced this with markup.RenderDescriptionHTML which adds proper link processing and additional sanitization. The key vulnerable function was DescriptionHTML in models/repo.go which handled the unsafe rendering before proper security processing was added in the fix.