CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gogs » Gogs » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-31038 79 XSS 2022-06-09 2022-06-17
3.5
None Remote Medium ??? None Partial None
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
2 CVE-2022-1993 22 Dir. Trav. 2022-06-09 2022-06-15
5.5
None Remote Low ??? Partial Partial None
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
3 CVE-2022-1986 78 2022-06-09 2022-06-15
7.5
None Remote Low Not required Partial Partial Partial
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
4 CVE-2022-1464 79 Exec Code XSS 2022-05-05 2022-05-13
3.5
None Remote Medium ??? None Partial None
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
5 CVE-2022-1285 918 2022-06-01 2022-06-08
4.3
None Remote Medium Not required Partial None None
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
6 CVE-2022-0871 863 2022-03-11 2022-03-22
5.8
None Remote Medium Not required Partial Partial None
Improper Authorization in GitHub repository gogs/gogs prior to 0.12.5.
7 CVE-2022-0870 918 2022-03-11 2022-03-22
5.0
None Remote Low Not required Partial None None
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
8 CVE-2022-0415 434 Exec Code 2022-03-21 2022-03-25
6.5
None Remote Low ??? Partial Partial Partial
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
9 CVE-2021-32546 Exec Code 2022-06-02 2022-06-09
6.5
None Remote Low ??? Partial Partial Partial
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "\" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).
10 CVE-2020-15867 Exec Code 2020-10-16 2022-04-26
6.5
None Remote Low ??? Partial Partial Partial
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.
11 CVE-2020-9329 362 2020-02-21 2020-02-25
4.3
None Remote Medium Not required None Partial None
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition.
12 CVE-2018-20303 22 Dir. Trav. 2018-12-20 2019-01-31
5.0
None Remote Low Not required None Partial None
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
13 CVE-2018-18925 384 Exec Code 2018-11-04 2019-01-29
7.5
None Remote Low Not required Partial Partial Partial
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
14 CVE-2018-15192 918 2018-08-08 2018-10-18
5.0
None Remote Low Not required Partial None None
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
15 CVE-2018-15178 601 2018-08-08 2018-10-05
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
Total number of vulnerabilities : 15   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.