x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-ff28-f46g-r9g8

[julieqiu]

In GitHub Security Advisory GHSA-ff28-f46g-r9g8, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
gogs.io/gogs	0.12.7	< 0.12.7

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: gogs.io/gogs
    versions:
      - fixed: 0.12.7
description: |
    ### Impact

    The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected.

    ### Patches

    Correctly setting the Content Security Policy for the serving endpoint. Users should upgrade to 0.12.7 or the latest 0.13.0+dev.

    ### Workarounds

    [Disable uploading SVG files (`text/xml`) as issue attachments](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284).

    ### References

    https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/

    ### For more information

    If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6919.
published: 2022-05-24T20:48:14Z
last_modified: 2022-05-24T20:48:17Z
cves:
  - CVE-2022-1464
ghsas:
  - GHSA-ff28-f46g-r9g8
links:
    context:
      - https://github.com/advisories/GHSA-ff28-f46g-r9g8

[tatianab]

Code is not importable

[gopherbot]

Change https://go.dev/cl/592769 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607221 mentions this issue: data/reports: unexclude 20 reports (19)