Listen to this Post
How the CVE Works
The vulnerability (CVE-2024-4367) in Gogs stems from an outdated PDF.js component (v1.4.20) located in public/plugins/. Attackers can exploit this by uploading a malicious PDF file containing embedded JavaScript. When a victim previews the file, the payload executes due to improper input sanitization, leading to stored cross-site scripting (XSS). This allows arbitrary client-side code execution within the victim’s browser session, potentially compromising user data or administrative accounts.
DailyCVE Form
Platform: Gogs
Version: 0.14.0+dev
Vulnerability: Stored XSS
Severity: Critical
Date: 2024-05-23
Prediction: Patch by 2024-07-15
What Undercode Say
docker pull gogs/gogs mkdir -p /var/gogs docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs
How Exploit
1. Upload malicious PDF to a repository.
2. Victim previews the file.
3. XSS payload executes.
Protection from this CVE
- Update PDF.js component.
- Disable PDF previews.
- Implement CSP headers.
Impact
- Session hijacking.
- Data theft.
- Admin compromise.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
