What is CVE-2021-28378?

CVE-2021-28378 is a low-severity software vulnerability (Cross-site scripting (XSS)) with a CVSS score of 3.7. Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.

Is CVE-2021-28378 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 9%.

What products does CVE-2021-28378 affect?

Tracked products affected include Gitea. Check the version you run to see whether it is affected.

How do I fix CVE-2021-28378?

Apply the vendor fix in your normal patch cycle. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2021-28378

LOW severity · CVSS 3.7 · Cross-site scripting (XSS)

3.7CVSS LOW

Summary

Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)9%

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products we track (1)

Gitea

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/go-gitea/gitea/pull/14898 ↗

Additional information

NVD record
https://github.com/go-gitea/gitea/pull/14898Patch
https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/Advisory
https://github.com/PandatiX/CVE-2021-28378Advisory