CVE-2022-1464: 
Gogs vulnerability analysis and mitigation

A stored XSS vulnerability was discovered in GitHub repository gogs/gogs prior to version 0.12.7 (CVE-2022-1464). The vulnerability exists in the repository's public access functionality where any user can view reports and when opening attachments, malicious JavaScript code could be executed in the victim's account (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 7.3 (High) according to huntr.dev. The vulnerability allows execution of arbitrary JavaScript code through report attachments in the public repository section (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' sessions who view the malicious attachment. This could potentially lead to account compromise, data theft, or other malicious actions performed under the victim's account privileges (NVD).

The vulnerability has been patched in Gogs version 0.12.7. The fix involves implementing Content Security Policy (CSP) headers in the attachment serving endpoint to prevent execution of arbitrary JavaScript code (GitHub Patch). Users are advised to upgrade to version 0.12.7 or later to mitigate this vulnerability.