[Security] Stored XSS. Account Takeover possilble. #2195

Closed
opened 2025-11-02 04:26:45 -06:00 by GiteaMirror · 3 comments
Owner

Originally created by @ghost on GitHub (Aug 14, 2018).

  • Gitea version (or commit ref): any version with external issue tracker
  • Git version: not relevant
  • Operating system: not relevant
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Screenshots

Originally created by @ghost on GitHub (Aug 14, 2018). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): any version with external issue tracker - Git version: not relevant - Operating system: not relevant - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - [ ] Not relevant - Log gist: ## Description ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->
GiteaMirror added the topic/security label 2025-11-02 04:26:45 -06:00
Author
Owner

@techknowlogick commented on GitHub (Aug 14, 2018):

Thoughts from top of my head, we could use net/url and validate that external issue tracker is a valid URL and the protocol of URL is http/https.

May have time in several hours to look into where to add this into code.

Thanks for report 😄

@techknowlogick commented on GitHub (Aug 14, 2018): Thoughts from top of my head, we could use net/url and validate that external issue tracker is a valid URL and the protocol of URL is http/https. May have time in several hours to look into where to add this into code. Thanks for report 😄
Author
Owner

@lafriks commented on GitHub (Aug 15, 2018):

@cezar97 thanks for report ;)

@lafriks commented on GitHub (Aug 15, 2018): @cezar97 thanks for report ;)
Author
Owner

@lafriks commented on GitHub (Aug 19, 2018):

I don't think that's worth the work as chances of that are quite minimal and I would not like to automatically remove or mess up someone's setttings

@lafriks commented on GitHub (Aug 19, 2018): I don't think that's worth the work as chances of that are quite minimal and I would not like to automatically remove or mess up someone's setttings
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2195