CVE-2022-46181 - Vulnerability Details - OpenCVE

Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Gotify	Server

Configuration 1 [-]

cpe:2.3:a:gotify:server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/gotify/server/pull/534
https://github.com/gotify/server/pull/535
https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh

History

Thu, 10 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-29T18:36:46.603Z

Updated: 2025-04-10T18:02:15.686Z

Reserved: 2022-11-28T17:27:19.999Z

Link: CVE-2022-46181

Vulnrichment

Updated: 2024-08-03T14:31:44.432Z

NVD

Status : Modified

Published: 2022-12-29T19:15:08.810

Modified: 2024-11-21T07:30:16.587

Link: CVE-2022-46181

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46181", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-11-28T17:27:19.999Z", "datePublished": "2022-12-29T18:36:46.603Z", "dateUpdated": "2025-04-10T18:02:15.686Z"}, "containers": {"cna": {"title": "Gotify server XSS vulnerability in the application image file upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh"}, {"name": "https://github.com/gotify/server/pull/534", "tags": ["x_refsource_MISC"], "url": "https://github.com/gotify/server/pull/534"}, {"name": "https://github.com/gotify/server/pull/535", "tags": ["x_refsource_MISC"], "url": "https://github.com/gotify/server/pull/535"}], "affected": [{"vendor": "gotify", "product": "server", "versions": [{"version": "< 2.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-29T18:36:46.603Z"}, "descriptions": [{"lang": "en", "value": "Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory."}], "source": {"advisory": "GHSA-xv6x-456v-24xh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:44.432Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh"}, {"name": "https://github.com/gotify/server/pull/534", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gotify/server/pull/534"}, {"name": "https://github.com/gotify/server/pull/535", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gotify/server/pull/535"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T18:02:01.051299Z", "id": "CVE-2022-46181", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T18:02:15.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "name": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/gotify/server/pull/534", "name": "https://github.com/gotify/server/pull/534", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/gotify/server/pull/535", "name": "https://github.com/gotify/server/pull/535", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:44.432Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46181", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T18:02:01.051299Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T18:02:04.926Z"}}], "cna": {"title": "Gotify server XSS vulnerability in the application image file upload", "source": {"advisory": "GHSA-xv6x-456v-24xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "gotify", "product": "server", "versions": [{"status": "affected", "version": "< 2.2.2"}]}], "references": [{"url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "name": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gotify/server/pull/534", "name": "https://github.com/gotify/server/pull/534", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gotify/server/pull/535", "name": "https://github.com/gotify/server/pull/535", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-29T18:36:46.603Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46181", "state": "PUBLISHED", "dateUpdated": "2025-04-10T18:02:15.686Z", "dateReserved": "2022-11-28T17:27:19.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-29T18:36:46.603Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gotify:server:*:*:*:*:*:*:*:*", "matchCriteriaId": "37AC8598-D2C6-407B-BBE1-3D9849FB2628", "versionEndExcluding": "2.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory."}, {"lang": "es", "value": "El servidor Gotify es un servidor simple para enviar y recibir mensajes en tiempo real por WebSocket. Las versiones anteriores a la 2.2.2 contienen una vulnerabilidad XSS que permite a los usuarios autenticados cargar archivos .html. Un atacante podr\u00eda ejecutar scripts del lado del cliente **si** otro usuario abriera un enlace. El atacante podr\u00eda potencialmente hacerse cargo de la cuenta del usuario que hizo clic en el enlace. La interfaz de usuario de Gotify no expondr\u00e1 de forma nativa un enlace malicioso, por lo que un atacante debe lograr que el usuario abra el enlace malicioso en un contexto fuera de Gotify. La vulnerabilidad se ha solucionado en la versi\u00f3n 2.2.2. Como workaround, puede bloquear el acceso a archivos que no sean de im\u00e1genes a trav\u00e9s de un proxy inverso en el directorio `./image`."}], "id": "CVE-2022-46181", "lastModified": "2024-11-21T07:30:16.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-12-29T19:15:08.810", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gotify/server/pull/534"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/gotify/server/pull/535"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gotify/server/pull/534"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/gotify/server/pull/535"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/gotify/server/security/advisories/GHSA-xv6x-456v-24xh"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}