Gogs: >> Gogs >> 0.11.86 Security Vulnerabilities
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.
CVSS Score
7.2
EPSS Score
0.911
Published
2020-10-16
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition.
CVSS Score
5.9
EPSS Score
0.003
Published
2020-02-21
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-08-02
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-08-08
Page 3