10 matches found
CVE-2022-0415
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
CVE-2022-0871
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2024-54148
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVE-2024-39930
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Window...
CVE-2022-32174
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVE-2019-14544
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
CVE-2022-2024
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVE-2024-39931
Gogs through 0.13.0 allows deletion of internal files.
CVE-2018-18925
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
CVE-2024-39932
Gogs through 0.13.0 allows argument injection during the previewing of changes.