Version unspecified

CVE-2022-1884

A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.

CRITICAL CVSS 10.0 Published Nov 15, 2024

CVE-2022-2024

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.

CRITICAL CVSS 9.8 Published Feb 25, 2023

CVE-2022-1986

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.

CRITICAL CVSS 10.0 Published Jun 09, 2022

CVE-2022-1993

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.

HIGH CVSS 8.1 Published Jun 08, 2022

CVE-2022-1992

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.

CRITICAL CVSS 10.0 Published Jun 08, 2022

CVE-2022-1285

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.

HIGH CVSS 8.3 Published Jun 01, 2022

CVE-2022-1464

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

HIGH CVSS 7.3 Published May 05, 2022

CVE-2022-0415

Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.

CRITICAL CVSS 9.9 Published Mar 21, 2022

CVE-2022-0870

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.

MEDIUM CVSS 5.0 Published Mar 11, 2022

CVE-2022-0871

Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.

HIGH CVSS 8.2 Published Mar 11, 2022