Gogs (Go Git Service) - SQL Injection

Multiple SQL injection vulnerabilities in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to 1 api/v1/repos/search, which is not properly handled in models/repo.go, or 2 api/v1/users/search, which is...

GO-2020-0021 SQL Injection in github.com/gogits/gogs

Due to improper sanitization of user input, a number of methods are vulnerable to SQL injection if used with user input that has not been sanitized by the caller...

Cross-site Scripting (XSS)

github.com/gogits/gogs is vulnerable to cross-site scripting XSS attacks. The attacks can be triggered because a user can change their username to anything other than an empty string. This allows them to enter code which may be executed...

Cross-site Scripting (XSS)

github.com/gogits/gogs is vulnerable to cross-site scripting XSS attacks. The library's wiki templates do not sanitize user input, allowing a malicious user to inject and execute arbitrary code...

SQL Injection

github.com/gogits/gogs is vulnerable to SQL injection attacks. These attacks are possible through the label parameter given to the GetIssues function in models/issue.go...

Unauthorised Release Deletion

github.com/gogits/gogs is vulnerable to unauthorised release deletions. A malicious user can delete another user's repository releases by modifying a post request...

Timing Attack

github.com/gogits/gogs is vulnerable to timing attacks. This vulnerability is caused because passwords are not validated in constant time, allowing malicious users to guess valid passwords based on the time that a validation takes...