Impact
The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as:
https://push.example.org/image/[alphanumeric string].html
An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.
Patches
The vulnerability has been fixed in version 2.2.2.
Workarounds
You can block access to non image files via a reverse proxy in the ./image directory.
References
gotify/server#534
gotify/server#535
Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.
References
Impact
The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as:
An attacker could potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify.
Patches
The vulnerability has been fixed in version 2.2.2.
Workarounds
You can block access to non image files via a reverse proxy in the
./imagedirectory.References
gotify/server#534
gotify/server#535
Thanks to rickshang (aka 无在无不在) for discovering and reporting this bug.
References