Product:

Gogs

(Gogs)
Repositories https://github.com/gogs/gogs
#Vulnerabilities 25
Date Id Summary Products Score Patch Annotated
2019-08-02 CVE-2019-14544 routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks. Gogs 9.8
2018-12-19 CVE-2018-20303 In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925. Gogs 7.5
2018-11-04 CVE-2018-18925 Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. Gogs 9.8
2018-09-14 CVE-2018-17031 In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent. Gogs 6.1
2018-09-03 CVE-2018-16409 In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF. Gogs 8.6
2018-08-08 CVE-2018-15193 A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. Gogs 8.8
2018-08-08 CVE-2018-15192 An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services. Gitea, Gogs 8.6
2018-08-07 CVE-2018-15178 Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go. Gogs 6.1