Test ID:	1.3.6.1.4.1.25623.1.0.170460
Category:	Privilege escalation
Title:	Gitea < 1.19.3 Multiple golang Vulnerabilities
Summary:	Gitea is prone to multiple vulnerabilities in golang.
Description:	Summary: Gitea is prone to multiple vulnerabilities in golang. Vulnerability Insight: The following flaws exist in golang: - CVE-2023-24539: Angle brackets are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. - CVE-2023-24540: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing other whitespace characters in JavaScript contexts that also contain actions may not be properly sanitized during execution. - CVE-2023-29400: Templates containing actions in unquoted HTML attributes executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Affected Software/OS: Gitea prior to version 1.19.3. Solution: Update to version 1.19.3 or later. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-24539 https://go.dev/cl/491615 https://go.dev/issue/59720 https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU https://pkg.go.dev/vuln/GO-2023-1751 Common Vulnerability Exposure (CVE) ID: CVE-2023-24540 https://go.dev/cl/491616 https://go.dev/issue/59721 https://pkg.go.dev/vuln/GO-2023-1752 Common Vulnerability Exposure (CVE) ID: CVE-2023-29400 https://go.dev/cl/491617 https://go.dev/issue/59722 https://pkg.go.dev/vuln/GO-2023-1753
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.