Moderate severityNVD Advisory· Published Nov 21, 2014· Updated May 6, 2026

CVE-2014-8683

Description

Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gogs.io/gogsGo	>= 0.3.1, < 0.5.8	0.5.8

Affected products

Gogits/Gogs6 versions
cpe:2.3:a:gogits:gogs:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:gogits:gogs:*:*:*:*:*:*:*:*range: <=0.5.5
- cpe:2.3:a:gogits:gogs:0.3.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.5.2:*:*:*:*:*:*:*

Patches

3abc41cccab2

Fix API broken

https://github.com/gogits/gogsUnknwonOct 19, 2014via ghsa

commit

10 files changed · +12 −10

cmd/web.go+1 −1 modified

@@ -71,7 +71,7 @@ func checkVersion() {
 		log.Fatal(4, "Package i18n version is too old, did you forget to update?(github.com/macaron-contrib/i18n)")
 	}
 	sessionVer := git.MustParseVersion(session.Version())
-	if sessionVer.LessThan(git.MustParseVersion("0.0.1")) {
+	if sessionVer.LessThan(git.MustParseVersion("0.0.3")) {
 		log.Fatal(4, "Package session version is too old, did you forget to update?(github.com/macaron-contrib/session)")
 	}
 }

gogs.go+1 −1 modified

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.5.5.1015 Beta"
+const APP_VER = "0.5.5.1018 Beta"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

modules/middleware/context.go+1 −1 modified

@@ -147,7 +147,7 @@ func (ctx *Context) ServeContent(name string, r io.ReadSeeker, params ...interfa
 	ctx.Resp.Header().Set("Expires", "0")
 	ctx.Resp.Header().Set("Cache-Control", "must-revalidate")
 	ctx.Resp.Header().Set("Pragma", "public")
-	http.ServeContent(ctx.Resp, ctx.Req, name, modtime, r)
+	http.ServeContent(ctx.Resp, ctx.Req.Request, name, modtime, r)
 }
 
 // Contexter initializes a classic context for a request.

README.md+2 −1 modified

@@ -46,7 +46,7 @@ The goal of this project is to make the easiest, fastest and most painless way t
 - Slack webhook integration
 - Supports MySQL, PostgreSQL and SQLite3
 - Social account login(GitHub, Google, QQ, Weibo)
-- Multi-language support(English, Simplified Chinese, Traditional Chinese, Germany, French, Dutch etc.)
+- Multi-language support(English, Simplified Chinese, Traditional Chinese, Germany, French, Dutch, and [more](https://crowdin.com/project/gogs))
 
 ## System Requirements
 
@@ -73,6 +73,7 @@ There are 5 ways to install Gogs:
 - Usage and modification from [beego](http://beego.me) modules.
 - Thanks [lavachen](http://www.lavachen.cn/) and [Rocker](http://weibo.com/rocker1989) for designing Logo.
 - Thanks [gobuild.io](http://gobuild.io) for providing binary compile and download service.
+- Thanks to [Crowdin](https://crowdin.com/project/gogs) for providing open source translation plan.
 
 ## Contributors

README_ZH.md+2 −1 modified

@@ -37,7 +37,7 @@ Gogs 的目标是打造一个最简单、最快速和最轻松的方式搭建自
 - Slack Web 钩子集成
 - 支持 MySQL、PostgreSQL 以及 SQLite3 数据库
 - 社交帐号登录（GitHub、Google、QQ、微博）
-- 多语言支持（英文、简体中文、繁体中文、德语、法语、荷兰语等等）
+- 多语言支持（英文、简体中文、繁体中文、德语、法语、荷兰语以及 [更多]([more](https://crowdin.com/project/gogs))）
 
 ## 系统要求
 
@@ -64,6 +64,7 @@ Gogs 的目标是打造一个最简单、最快速和最轻松的方式搭建自
 - 基于 [GoBlog](https://github.com/fuxiaohei/goblog) 修改的系统监视状态。
 - 感谢 [gobuild.io](http://gobuild.io) 提供二进制编译与下载服务。
 - 感谢 [lavachen](http://www.lavachen.cn/) 和 [Rocker](http://weibo.com/rocker1989) 设计的 Logo。
+- 感谢 [Crowdin](https://crowdin.com/project/gogs) 提供免费的开源项目本地化支持。
 
 ## 贡献成员

routers/api/v1/miscellaneous.go+1 −2 modified

@@ -5,7 +5,6 @@
 package v1
 
 import (
-	"io/ioutil"
 	"strings"
 
 	"github.com/gogits/gogs/modules/auth/apiv1"
@@ -34,7 +33,7 @@ func Markdown(ctx *middleware.Context, form apiv1.MarkdownForm) {
 
 // Render a Markdown document in raw mode.
 func MarkdownRaw(ctx *middleware.Context) {
-	body, err := ioutil.ReadAll(ctx.Req.Body)
+	body, err := ctx.Req.Body().Bytes()
 	if err != nil {
 		ctx.JSON(422, base.ApiJsonErr{err.Error(), DOC_URL})
 		return

routers/install.go+1 −0 modified

@@ -229,6 +229,7 @@ func InstallPost(ctx *middleware.Context, form auth.InstallForm) {
 	setting.Cfg.SetValue("log", "MODE", "file")
 
 	setting.Cfg.SetValue("security", "INSTALL_LOCK", "true")
+	setting.Cfg.SetValue("security", "SECRET_KEY", base.GetRandomString(15))
 
 	os.MkdirAll("custom/conf", os.ModePerm)
 	if err := goconfig.SaveConfigFile(setting.Cfg, path.Join(setting.CustomPath, "conf/app.ini")); err != nil {

routers/repo/http.go+1 −1 modified

@@ -204,7 +204,7 @@ func Http(ctx *middleware.Context) {
 	config := Config{setting.RepoRootPath, "git", true, true, f}
 
 	handler := HttpBackend(&config)
-	handler(ctx.Resp, ctx.Req)
+	handler(ctx.Resp, ctx.Req.Request)
 }
 
 type route struct {

routers/user/auth.go+1 −1 modified

@@ -229,7 +229,7 @@ func SignUpPost(ctx *middleware.Context, cpt *captcha.Captcha, form auth.Registe
 		return
 	}
 
-	if !cpt.VerifyReq(ctx.Req) {
+	if !cpt.VerifyReq(ctx.Req.Request) {
 		ctx.Data["Err_Captcha"] = true
 		ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), SIGNUP, &form)
 		return

templates/.VERSION+1 −1 modified

@@ -1 +1 @@
-0.5.5.1015 Beta
\ No newline at end of file
+0.5.5.1018 Beta
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000