Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM

gotify/server vulnerable to Cross-site Scripting in the application image file upload

Impact

The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as:

https://push.example.org/image/[alphanumeric string].html

An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.

Patches

The vulnerability has been fixed in version 2.2.2.

Workarounds

You can block access to non image files via a reverse proxy in the ./image directory.

References

https://github.com/gotify/server/pull/534
https://github.com/gotify/server/pull/535

Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.

Permalink: https://github.com/advisories/GHSA-xv6x-456v-24xh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djZ4LTQ1NnYtMjR4aM4AAwqM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-xv6x-456v-24xh, CVE-2022-46181
References:

Repository: https://github.com/gotify/server
Blast Radius: 2.2

Affected Packages

go:github.com/gotify/server

Dependent packages: 2
Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 2.2.1
Fixed in: 2.2.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.2.0, 1.2.1
All unaffected versions: