This can be exploited to trick users into visiting a different site (e.g. https://github.com/example.com/vuln/), leading to information disclosure or session hijacking. This is fixed in 0.12.0 by checking for \\.\example.com and only allowing a redirect to a URL starting with example.com. This issue was reported to the package maintainers through the issue tracker.
Another issue affects the package github.com/gophish/graphite . The application uses Graphite backend via a dependency golang/go: - package github.com/gophish/graphite The package maintainers did not apply the security patch to version 1.2.7. This version is affected by the XSS flaw in the package github.com/gophish/graphite#1.2.7 . The application does not sanitize user input in the following path (or even exists at all) in order to extract the data to be logged: - http://www.domain.com/path/to/input This affects versions before 1.2.8. This issue was reported to the package maintainers through the issue tracker.
Another issue affects the package github.com/gophish/gopher . The package maintainers did not apply the security patch to version 0.4.4. This version is affected by the XSS flaw in the package github.com/goph
Timeline
Published on: 09/11/2022 14:15:00 UTC
Last modified on: 09/15/2022 03:41:00 UTC