CVE-2021-45329

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Gitea versions prior to 1.5.1 [2]. The issue resides in the repository settings page, specifically the external wiki and issue tracker URL fields. User-supplied input for these fields is not properly sanitized before being stored and later rendered in the user interface. This allows an attacker to inject arbitrary HTML or JavaScript code through a crafted URL value. The vulnerability was fixed in Gitea 1.5.1 via pull request #4710, which improved URL validation [3].

Exploitation

To exploit this vulnerability, an attacker must have the ability to modify repository settings (e.g., a repository collaborator with write access or an administrator). The attacker sets the external wiki or issue tracker URL to a malicious payload such as javascript:alert(1) or a crafted URL containing an XSS vector. When any user views the repository settings page or the external link is loaded, the injected script executes in the context of the victim's browser session. No user interaction beyond viewing the affected page is required.

Impact

Successful exploitation results in arbitrary JavaScript execution within the victim's session. This can lead to session hijacking, theft of sensitive information (e.g., authentication tokens, private repository data), unauthorized actions performed on behalf of the victim, or defacement. The attacker gains the same privileges as the victim user, potentially including repository administration if the victim is an admin.

Mitigation

The vulnerability is patched in Gitea version 1.5.1, released on September 11, 2018 [2]. Users are strongly advised to upgrade to at least this version. If upgrading is not immediately possible, restrict write access to repository settings to only trusted users and avoid viewing settings pages from untrusted accounts. No other workarounds are documented in the available references. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.