x/vulndb: potential Go vuln in github.com/oxyno-zeta/s3-proxy/cmd/s3-proxy: GHSA-pp9m-qf39-hxjc

[GoVulnBot]

Advisory GHSA-pp9m-qf39-hxjc references a vulnerability in the following Go modules:

Module
github.com/oxyno-zeta/s3-proxy

Description:

Summary

A Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
It's possible to inject html elements, including scripts through the folder-list template. It...

References:

• ADVISORY: GHSA-pp9m-qf39-hxjc
• ADVISORY: GHSA-pp9m-qf39-hxjc
• FIX: oxyno-zeta/s3-proxy@c611c74
• WEB: https://github.com/oxyno-zeta/s3-proxy/releases/tag/v4.18.1

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/oxyno-zeta/s3-proxy
      vulnerable_at: 0.0.0-20250220214310-c611c741ed48
summary: S3-Proxy allows Reflected Cross-site Scripting (XSS) in template implementation in github.com/oxyno-zeta/s3-proxy
cves:
    - CVE-2025-27088
ghsas:
    - GHSA-pp9m-qf39-hxjc
references:
    - advisory: https://github.com/advisories/GHSA-pp9m-qf39-hxjc
    - advisory: https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc
    - fix: https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564
    - web: https://github.com/oxyno-zeta/s3-proxy/releases/tag/v4.18.1
source:
    id: GHSA-pp9m-qf39-hxjc
    created: 2025-02-20T23:01:24.584637323Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/654257 mentions this issue: data/reports: add 23 reports