Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/syncthing/syncthing: CVE-2022-46165 #1835

Closed
GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/syncthing/syncthing: CVE-2022-46165 #1835

GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Assignees
@tatianab
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2022-46165 references github.com/syncthing/syncthing, which may be a Go module.

Description:
Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. As a result the webUI may be subject to a stored cross site scripting attack. This issue has been addressed in version 1.23.5. Users are advised to upgrade. Users unable to upgrade should avoid sharing folders with untrusted users.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/syncthing/syncthing
      packages:
        - package: syncthing
description: |
    Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. As a result the webUI may be subject to a stored cross site scripting attack. This issue has been addressed in version 1.23.5. Users are advised to upgrade. Users unable to upgrade should avoid sharing folders with untrusted users.
cves:
    - CVE-2022-46165
references:
    - advisory: https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h
    - fix: https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238
@tatianab tatianab added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jun 7, 2023
@tatianab tatianab self-assigned this Jun 7, 2023
@tatianab tatianab mentioned this issue Jun 7, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501842 mentions this issue: data/excluded: batch add 15 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Jul 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot