Miggo Logo

CVE-2022-1928: Stored Cross-site Scripting in gitea

4.4

CVSS Score
3.0

Basic Information

EPSS Score
0.27465%
Published
5/30/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
code.gitea.io/giteago< 1.16.91.16.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch (65e0688) modifies the ServeData function in routers/common/repo.go to add PDF-specific header handling. Before the fix, PDF files were served without the correct Content-Type (application/octet-stream) and without a restrictive Content-Security-Policy, enabling XSS if a malicious PDF with embedded scripts was uploaded. The vulnerability matches the CWE-79 description of improper input neutralization during web page generation, and the commit directly addresses this by adding security headers for PDFs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository *o-*it**/*it** prior to *.**.* vi* un*ilt*r** p**s

Reasoning

T** p*t** (*******) mo*i*i*s t** `S*rv***t*` *un*tion in `rout*rs/*ommon/r*po.*o` to *** P**-sp**i*i* *****r **n*lin*. ***or* t** *ix, P** *il*s w*r* s*rv** wit*out t** *orr**t *ont*nt-Typ* (*ppli**tion/o*t*t-str**m) *n* wit*out * r*stri*tiv* *ont*nt