Go modules package
gogs.io/gogs
pkg:golang/gogs.io/gogs
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-14958 | — | < 0.12.0 | 0.12.0 | Jun 21, 2020 | In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check. | ||
| CVE-2019-14544 | — | < 0.11.91 | 0.11.91 | Aug 2, 2019 | routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks. | ||
| CVE-2018-20303 | — | < 0.11.80-0.20181218063808-ff93d9dbda5c | 0.11.80-0.20181218063808-ff93d9dbda5c | Dec 20, 2018 | In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925. | ||
| CVE-2018-17031 | — | < 0.12.0 | 0.12.0 | Sep 14, 2018 | In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent. | ||
| CVE-2018-15192 | — | < 0.12.0 | 0.12.0 | Aug 8, 2018 | An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services. | ||
| CVE-2018-15178 | — | < 0.12.0 | 0.12.0 | Aug 8, 2018 | Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go. | ||
| CVE-2014-8683 | — | >= 0.3.1, < 0.5.8 | 0.5.8 | Nov 21, 2014 | Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown. | ||
| CVE-2014-8682 | — | >= 0.3.1, < 0.5.8 | 0.5.8 | Nov 21, 2014 | Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1 | ||
| CVE-2014-8681 | — | >= 0.3.1, < 0.5.8 | 0.5.8 | Nov 21, 2014 | SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues. |
- CVE-2020-14958Jun 21, 2020affected < 0.12.0fixed 0.12.0
In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
- CVE-2019-14544Aug 2, 2019affected < 0.11.91fixed 0.11.91
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
- CVE-2018-20303Dec 20, 2018affected < 0.11.80-0.20181218063808-ff93d9dbda5cfixed 0.11.80-0.20181218063808-ff93d9dbda5c
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
- CVE-2018-17031Sep 14, 2018affected < 0.12.0fixed 0.12.0
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.
- CVE-2018-15192Aug 8, 2018affected < 0.12.0fixed 0.12.0
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
- CVE-2018-15178Aug 8, 2018affected < 0.12.0fixed 0.12.0
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
- CVE-2014-8683Nov 21, 2014affected >= 0.3.1, < 0.5.8fixed 0.5.8
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.
- CVE-2014-8682Nov 21, 2014affected >= 0.3.1, < 0.5.8fixed 0.5.8
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1
- CVE-2014-8681Nov 21, 2014affected >= 0.3.1, < 0.5.8fixed 0.5.8
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
Page 3 of 3