id: CVE-2024-6886 info: name: Gitea 1.22.0 - Cross-Site Scripting author: soonghee2 severity: medium description: | Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. reference: - https://www.exploit-db.com/exploits/52077 - https://nvd.nist.gov/vuln/detail/CVE-2024-6886 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L cvss-score: 6.7 cve-id: CVE-2024-6886 cwe-id: CWE-79 cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: gitea product: gitea tags: cve,cve2024,gitea,xss,authenticated variables: username: "{{username}}" password: "{{password}}" http: - raw: - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user_name={{username}}&password={{password}} - | GET / HTTP/1.1 Host: {{Hostname}} - | GET /{{username}} HTTP/1.1 Host: {{Hostname}} - | POST /repo/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded repo_name={{randstr}}&description=XSS&_csrf={{csrf_token}}&uid={{uid_name}} - | GET /{{username}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_5 words: - 'XSS' - 'gitea' condition: and - type: word part: header_5 words: - text/html - type: status status: - 200 extractors: - type: regex name: csrf_token group: 1 regex: - 'name="_csrf" value="([^"]+)"' internal: true - type: regex name: uid_name group: 1 regex: - '"uid":\s*(\d+)' internal: true # digest: 490a004630440220794850ade0257c0152689ca885f4dbf63a12718c240bc3df0d687cd8f5efc67b02201bc744cb87251732dd1d821fa90deae70314ac6c68ed6f2dd6b1ffd759d46c1a:922c64590222798bb761d5b6d8e72950