CVE-2022-32174: Gogs vulnerable to Cross-site Scripting
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92677%
CWE
Published
10/11/2022
Updated
2/2/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
gogs.io/gogs | go | >= 0.6.5, <= 0.12.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of user-supplied data in the assignee selection component. The code at line 263 of gogs.js
shows UI updates using .html()
with user-controlled input (full_name). When an admin selects a malicious user as assignee, the unescaped JavaScript payload in the user's name field executes due to unsafe HTML insertion methods. This matches the PoC description where XSS in the assignee selection leads to privilege escalation.