CVE-2019-16146: Gophish XSS Vulnerability
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46406%
CWE
Published
5/24/2022
Updated
7/17/2023
KEV Status
No
Technology
Go
GoTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/gophish/gophish | go | < 0.8.0 | 0.9.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from unsanitized insertion of user.username in multiple UI feedback mechanisms. The commit 24fe998 shows critical fixes:
- Replaced template literals with escapeHtml() in success messages for user operations
- Added HTML escaping in deletion confirmation dialogs
- Affected code paths handle admin-facing user management features where malicious usernames could be rendered without proper output encoding, enabling stored XSS against administrators.