GHSA-3244-8mff-w398: 
vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Gotify's /docs endpoint due to an outdated instance of Swagger UI API documentation frontend. The vulnerability, tracked as GHSA-3244-8mff-w398, affected Gotify server versions <= 2.2.2 and was patched in version 2.2.3. The issue was published on January 10, 2023 (GitHub Advisory).

The vulnerability stems from an outdated DOMPurify version included with Swagger UI that is susceptible to reflected XSS attacks when loading external Swagger config files. The specific vulnerability relates to CVE-2020-26870, which involves a rendering XSS incorporating a mutation payload that was previously patched in 2021. This is also tracked as GHSA-qrmm-w75w-3wpx in the GitHub Advisory Database (GitHub Advisory, Securitum Research).

An attacker can execute arbitrary JavaScript and potentially take over the account of a user who clicks a malicious link. However, the Gotify UI does not natively expose such malicious links, requiring the attacker to convince users to open the malicious link in a context outside of Gotify (GitHub Advisory).

The vulnerability has been fixed in Gotify server version 2.2.3. Users are advised to upgrade to this version or later to protect against this XSS vulnerability (GitHub Advisory).