4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-46181

CVE-2022-46181: gotify/server vulnerable to Cross-site Scripting in the application image file upload

Impact

The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as:

https://push.example.org/image/[alphanumeric string].html

An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.

Patches

The vulnerability has been fixed in version 2.2.2.

Workarounds

You can block access to non image files via a reverse proxy in the ./image directory.

References

https://github.com/gotify/server/pull/534 https://github.com/gotify/server/pull/535

Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-46181

CVE-2022-46181:

4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gotify/server	go	<= 2.2.1	2.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key failures: 1) Inadequate file extension validation during upload (fixed in PR#534 by restricting to image extensions), and 2) Improper content handling when serving files (fixed in PR#535 by enforcing image MIME types). While exact function names aren't visible in diffs, the pattern of fixes (extension validation and MIME type enforcement) clearly indicates these two functional areas were vulnerable. The combination allowed HTML uploads and subsequent execution when accessed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-46181: gotify/server vulnerable to Cross-site Scripting in the application image file upload

Impact

Patches

Workarounds

References

CVE-2022-46181:

4.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.6

4.6

CVE-2022-46181: gotify/server vulnerable to Cross-site Scripting in the application image file upload

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI