Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Stored XSS in Gitea - exploit.company
header-logo
Suggest Exploit
vendor:
Gitea
by:
Catalin Iovita & Alexandru Postolache
6.1
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Gitea
Affected Version From: 1.22.0
Affected Version To: 1.22.0
Patch Exists: NO
Related CWE: CVE-2024-6886
CPE: a:go-gitea:gitea:1.22.0
Metasploit:
Other Scripts:
Platforms Tested: Linux
2024

Stored XSS in Gitea

Gitea version 1.22.0 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This security flaw enables a malicious actor to insert harmful scripts that are stored on the server and run within the context of another user's session.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs to prevent the injection of malicious scripts. Additionally, implementing content security policy (CSP) headers can help mitigate the impact of XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: Stored XSS in Gitea
# Date: 27/08/2024
# Exploit Authors: Catalin Iovita & Alexandru Postolache
# Vendor Homepage: (https://github.com/go-gitea/gitea)
# Version: 1.22.0
# Tested on: Linux 5.15.0-107, Go 1.23.0
# CVE: CVE-2024-6886

## Vulnerability Description
Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.

## Steps to Reproduce
1. Log in to the application.
2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.
3. In the Description field, input the following payload:

    <a href=javascript:alert()>XSS test</a>

4. Save the changes.
5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.