Go modules package

gogs.io/gogs

pkg:golang/gogs.io/gogs

Vulnerabilities (49)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-55947	—	< 0.13.1	0.13.1	Dec 23, 2024	Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVE-2024-54148	—	< 0.13.1	0.13.1	Dec 23, 2024	Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVE-2022-1884	—	< 0.12.8	0.12.8	Nov 15, 2024	A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the
CVE-2024-44625	—	< 0.13.2	0.13.2	Nov 15, 2024	Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
CVE-2024-39933	—	< 0.13.1	0.13.1	Jul 4, 2024	Gogs through 0.13.0 allows argument injection during the tagging of a new release.
CVE-2024-39932	—	< 0.13.1	0.13.1	Jul 4, 2024	Gogs through 0.13.0 allows argument injection during the previewing of changes.
CVE-2024-39931	—	< 0.13.1	0.13.1	Jul 4, 2024	Gogs through 0.13.0 allows deletion of internal files.
CVE-2024-39930	—	< 0.13.1	0.13.1	Jul 4, 2024	The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server i
CVE-2022-2024	—	< 0.12.11	0.12.11	Feb 25, 2023	OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVE-2022-32174	—	>= 0.6.5, <= 0.12.10	—	Oct 11, 2022	In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVE-2022-1986	—	< 0.12.9	0.12.9	Jun 9, 2022	OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-31038	—	< 0.12.9	0.12.9	Jun 8, 2022	Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sani
CVE-2022-1993	—	< 0.12.9	0.12.9	Jun 8, 2022	Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-1992	—	< 0.12.9	0.12.9	Jun 8, 2022	Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-1285	—	< 0.12.8	0.12.8	Jun 1, 2022	Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
CVE-2021-32546	—	< 0.12.8	0.12.8	May 31, 2022	Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configu
CVE-2022-1464	—	< 0.12.7	0.12.7	May 5, 2022	Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
CVE-2022-0415	—	< 0.12.6	0.12.6	Mar 21, 2022	Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
CVE-2022-0870	—	< 0.12.5	0.12.5	Mar 11, 2022	Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2022-0871	—	< 0.12.5	0.12.5	Mar 11, 2022	Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.

CVE-2024-55947Dec 23, 2024
affected < 0.13.1fixed 0.13.1
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVE-2024-54148Dec 23, 2024
affected < 0.13.1fixed 0.13.1
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVE-2022-1884Nov 15, 2024
affected < 0.12.8fixed 0.12.8
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the
CVE-2024-44625Nov 15, 2024
affected < 0.13.2fixed 0.13.2
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
CVE-2024-39933Jul 4, 2024
affected < 0.13.1fixed 0.13.1
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
CVE-2024-39932Jul 4, 2024
affected < 0.13.1fixed 0.13.1
Gogs through 0.13.0 allows argument injection during the previewing of changes.
CVE-2024-39931Jul 4, 2024
affected < 0.13.1fixed 0.13.1
Gogs through 0.13.0 allows deletion of internal files.
CVE-2024-39930Jul 4, 2024
affected < 0.13.1fixed 0.13.1
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server i
CVE-2022-2024Feb 25, 2023
affected < 0.12.11fixed 0.12.11
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVE-2022-32174Oct 11, 2022
affected >= 0.6.5, <= 0.12.10
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVE-2022-1986Jun 9, 2022
affected < 0.12.9fixed 0.12.9
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-31038Jun 8, 2022
affected < 0.12.9fixed 0.12.9
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sani
CVE-2022-1993Jun 8, 2022
affected < 0.12.9fixed 0.12.9
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-1992Jun 8, 2022
affected < 0.12.9fixed 0.12.9
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
CVE-2022-1285Jun 1, 2022
affected < 0.12.8fixed 0.12.8
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
CVE-2021-32546May 31, 2022
affected < 0.12.8fixed 0.12.8
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configu
CVE-2022-1464May 5, 2022
affected < 0.12.7fixed 0.12.7
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
CVE-2022-0415Mar 21, 2022
affected < 0.12.6fixed 0.12.6
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
CVE-2022-0870Mar 11, 2022
affected < 0.12.5fixed 0.12.5
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2022-0871Mar 11, 2022
affected < 0.12.5fixed 0.12.5
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.

Page 2 of 3