Shodan
Vulnerabilities
Vulnerable Software
Gogs:  >> Gogs  >> 0.9.48  Security Vulnerabilities
CVE-2022-1884
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.
CVSS Score
10.0
EPSS Score
0.098
Published
2024-11-15
CVE-2024-39930
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
CVSS Score
9.9
EPSS Score
0.119
Published
2024-07-04
CVE-2024-39931
Gogs through 0.13.0 allows deletion of internal files.
CVSS Score
9.9
EPSS Score
0.095
Published
2024-07-04
CVE-2024-39932
Gogs through 0.13.0 allows argument injection during the previewing of changes.
CVSS Score
9.9
EPSS Score
0.028
Published
2024-07-04
CVE-2024-39933
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
CVSS Score
7.7
EPSS Score
0.003
Published
2024-07-04
CVE-2022-2024
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVSS Score
9.8
EPSS Score
0.44
Published
2023-02-25
CVE-2022-32174
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVSS Score
9.0
EPSS Score
0.027
Published
2022-10-11
CVE-2022-31038
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-06-09
CVE-2022-1986
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
CVSS Score
10.0
EPSS Score
0.139
Published
2022-06-09
CVE-2022-1992
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
CVSS Score
10.0
EPSS Score
0.017
Published
2022-06-09


Products
Pricing
Contact Us

Shodan ® - All rights reserved