x/vulndb: potential Go vuln in github.com/swaggo/http-swagger: CVE-2024-25712

[GoVulnBot]

CVE-2024-25712 references github.com/swaggo/http-swagger, which may be a Go module.

Description:
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-25712
• JSON: https://github.com/CVEProject/cvelist/tree/622d0d78b90575f4fb4742f00b06a3c4a3addc8b/2024/25xxx/CVE-2024-25712.json
• web: https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
• web: https://github.com/swaggo/http-swagger/releases/tag/v1.2.6
• Imported by: https://pkg.go.dev/github.com/swaggo/http-swagger?tab=importedby

Cross references:

• Module github.com/swaggo/http-swagger appears in issue x/vulndb: potential Go vuln in github.com/swaggo/http-swagger: CVE-2022-24863 #427 NOT_A_VULNERABILITY

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/swaggo/http-swagger
      vulnerable_at: 1.3.4
      packages:
        - package: n/a
cves:
    - CVE-2024-25712
references:
    - web: https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
    - web: https://github.com/swaggo/http-swagger/releases/tag/v1.2.6

[neild]

Duplicate of #427