| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3. |
| Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3. |
| In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover. |
| Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters. |
| The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected. |
| Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
| Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
| Gogs through 0.13.0 allows argument injection during the tagging of a new release. |
| Gogs through 0.13.0 allows argument injection during the previewing of changes. |
| Gogs through 0.13.0 allows deletion of internal files. |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. |
| Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. |
| Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. |
| Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. |
| Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account . |
| Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. |
| Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. |
| Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. |
| Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6. |
