Vulnerabilities > Gogs

DATE CVE VULNERABILITY TITLE RISK
2020-06-21 CVE-2020-14958 Improper Preservation of Permissions vulnerability in Gogs 0.11.91
In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
network
low complexity
gogs CWE-281
6.5
2020-02-21 CVE-2020-9329 Race Condition vulnerability in Gogs
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition.
network
high complexity
gogs CWE-362
5.9
2019-08-02 CVE-2019-14544 Missing Authorization vulnerability in Gogs 0.11.86
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
network
low complexity
gogs CWE-862
critical
9.8
2018-12-20 CVE-2018-20303 Path Traversal vulnerability in Gogs
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
network
low complexity
gogs CWE-22
7.5
2018-11-04 CVE-2018-18925 Session Fixation vulnerability in Gogs
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go.
network
low complexity
gogs CWE-384
critical
9.8
2018-09-14 CVE-2018-17031 Cross-site Scripting vulnerability in Gogs 0.11.53
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.
network
low complexity
gogs CWE-79
6.1
2018-09-03 CVE-2018-16409 Server-Side Request Forgery (SSRF) vulnerability in Gogs 0.11.53
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.
network
low complexity
gogs CWE-918
8.6
2018-08-08 CVE-2018-15193 Cross-Site Request Forgery (CSRF) vulnerability in Gogs 0.11.53
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.
network
low complexity
gogs CWE-352
8.8
2018-08-08 CVE-2018-15192 Server-Side Request Forgery (SSRF) vulnerability in multiple products
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
network
low complexity
gogs gitea CWE-918
8.6
2018-08-08 CVE-2018-15178 Open Redirect vulnerability in Gogs
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
network
low complexity
gogs CWE-601
6.1