5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31038

CVE-2022-31038: Cross-site Scripting vulnerability in repository issue list in Gogs

Impact

DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list.

Patches

DisplayName is sanitized before being displayed. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

Check and update the existing users' display names that contain malicious characters.

References

N/A

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/pull/7009.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31038

CVE-2022-31038:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gogs.io/gogs	go	< 0.12.9	0.12.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized DisplayName values being rendered in the issue list template. The GitHub patch shows the critical change was adding the Sanitize filter before Safe in templates/repo/issue/list.tmpl. This indicates the original code path (without Sanitize) failed to properly neutralize user-controlled input before outputting HTML, meeting CWE-79 criteria. The template's {{.Poster.DisplayName | Safe}} construct prior to patching was the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31038: Cross-site Scripting vulnerability in repository issue list in Gogs

Impact

Patches

Workarounds

References

For more information

CVE-2022-31038:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-31038: Cross-site Scripting vulnerability in repository issue list in Gogs

Impact

Patches

Workarounds

References

For more information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

5.4

5.4

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI