Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook...
5.3CVSS
6.8AI Score
0.0005EPSS
The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its...
5.3CVSS
5.2AI Score
0.001EPSS
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of...
5.3CVSS
5.3AI Score
0.001EPSS
9.8CVSS
9.8AI Score
0.002EPSS
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account...
9CVSS
7.8AI Score
0.005EPSS
9.8CVSS
9.7AI Score
0.002EPSS
8.1CVSS
8AI Score
0.028EPSS
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 DisplayName does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes DisplayName...
5.4CVSS
5.1AI Score
0.001EPSS
9.1CVSS
9.2AI Score
0.001EPSS
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain....
8.8CVSS
8.9AI Score
0.004EPSS
6.5CVSS
6.4AI Score
0.001EPSS
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account...
5.4CVSS
5.4AI Score
0.001EPSS
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to...
8.8CVSS
8.8AI Score
0.118EPSS
9.1CVSS
9.1AI Score
0.002EPSS
5.3CVSS
5.2AI Score
0.001EPSS
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the....
7.2CVSS
7.4AI Score
0.968EPSS
In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email"...
6.5CVSS
6.4AI Score
0.001EPSS
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race...
5.9CVSS
5.7AI Score
0.001EPSS
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and...
9.8CVSS
9.4AI Score
0.002EPSS
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file...
8.8CVSS
8.6AI Score
0.011EPSS
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to...
7.5CVSS
8.6AI Score
0.002EPSS
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for...
9.8CVSS
8AI Score
0.095EPSS
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not...
6.1CVSS
6.1AI Score
0.001EPSS
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to...
8.6CVSS
7.4AI Score
0.001EPSS
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue /...
8.8CVSS
7.8AI Score
0.002EPSS
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet...
8.6CVSS
8.6AI Score
0.001EPSS
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in...
6.1CVSS
6.2AI Score
0.001EPSS
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search,...
8.4AI Score
0.006EPSS
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to...
8.2AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to...
5.5AI Score
0.005EPSS