Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Gotify server XSS vulnerability in the application image file upload
Vulnerability Description
Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Gotify 跨站脚本漏洞
Vulnerability Description
Gotify是一个简单的服务器来发送和接收消息。 Gotify server 2.2.2 之前版本存在跨站脚本漏洞,该漏洞源于存在XSS漏洞,允许经过身份验证的用户上传html文件,如果另一个用户打开链接,攻击者可以执行客户端脚本并可能会接管单击该链接用户的帐户。
CVSS Information
N/A
Vulnerability Type
N/A