OS Command Injection in file editor in Gogs

Impact The malicious user is able to update a crafted config file into repository's .git directory in combination with crafted file deletion to gain SSH access to the server. All installations with repository upload enabled default are affected. Patches File deletions are prohibited to repository...

GHSA-XQ4V-VRP9-VCF2 Cross-site Scripting vulnerability in repository issue list in Gogs

Impact DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list. Patches DisplayName is sanitized before being displayed. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds Check and update the existing users...

OS Command Injection in gogs

Impact The malicious user is able to upload a crafted config file into repository's .git directory with to gain SSH access to the server. All Windows installations with repository upload enabled default are affected. Patches Repository file uploads are prohibited to its .git directory. Users shou...

PT-2022-13774 · Gogs · Gogs

Name of the Vulnerable Software and Affected Versions: gogs/gogs versions prior to 0.12.8 Description: The issue is related to a Server-Side Request Forgery SSRF in the GitHub repository gogs/gogs. This allows a malicious user to discover services in the internal network through webhook...

PT-2022-13488 · Gogs · Gogs

Name of the Vulnerable Software and Affected Versions: gogs versions prior to 0.12.5 Description: The issue is related to Server-Side Request Forgery SSRF in the repository migration functionality of gogs. This allows a malicious user to discover services in the internal network. All installation...