CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2018-15192
https://notcve.org/view.php?id=CVE-2018-15192
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services. Una vulnerabilidad de Server-Side Request Forgery (SSRF) en webhooks en Gitea hasta la versión 1.5.0-rc2 y Gogs hasta la versión 0.11.53 permite que los atacantes remotos accedan a los servicios de la intranet. • https://github.com/go-gitea/gitea/issues/4624 https://github.com/gogs/gogs/issues/5366 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15178
https://notcve.org/view.php?id=CVE-2018-15178
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go. Vulnerabilidad de redirección abierta en Gogs en versiones anteriores a la 0.12 permite que atacantes remotos redirijan a usuarios a sitios web arbitrarios y lleven a cabo ataques de phishing mediante una subcadena /\ inicial en el parámetro redirect_to en user/login. Esto está relacionado con la función isValidRedirect en routes/user/auth.go. • https://github.com/gogs/gogs/issues/5364 https://github.com/gogs/gogs/pull/5365 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 2CVE-2014-8683 – Gogs Markdown Renderer Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-8683
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown. Vulnerabilidad de XSS en models/issue.go en Gogs (también conocido como Go Git Service) 0.3.1-9 hasta 0.5.x anterior a 0.5.8 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro text en api/v1/markdown. Gogs markdown renderer suffers from a cross site scripting vulnerability. Versions 0.3.1-9-g49dc57e are affected. • http://gogs.io/docs/intro/change_log.html http://packetstormsecurity.com/files/129118/Gogs-Markdown-Renderer-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Nov/34 http://www.securityfocus.com/archive/1/533996/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/98693 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 6CVE-2014-8682 – Gogs - 'users'/'repos' '?q' SQL Injection
https://notcve.org/view.php?id=CVE-2014-8682
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go. Múltiples vulnerabilidades de inyección SQL en Gogs (también conocido como Go Git Service) 0.3.1-9 hasta 0.5.x anterior a 0.5.6.1105 Beta permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro q en (1) api/v1/repos/search, lo que no se maneja debidamente en models/repo.go, o (2) api/v1/users/search, lo que no se maneja debidamente en models/user.go. Gogs suffers from a remote unauthenticated SQL injection vulnerability via repository search. Versions 0.3.1-9-g49dc57e through 0.5.6.1104-g0c5ba45 are affected. • https://www.exploit-db.com/exploits/35238 http://gogs.io/docs/intro/change_log.html http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Nov/33 http://www.exploit-db.com/exploits/35238 http://www.securityfocus.com/archive/1/533995/100/0/threaded http://www.securityfocus.com/bid/71187 https://exchange.xforce.ibmcloud.com/vulnerabilities/98694 https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 5CVE-2014-8681 – Gogs - 'label' SQL Injection
https://notcve.org/view.php?id=CVE-2014-8681
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues. Vulnerabilidad de inyección SQL en la función GetIssues en models/issue.go en Gogs (también conocido como Go Git Service) 0.3.1-9 hasta 0.5.6.x anterior a 0.5.6.1025 Beta permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro label en user/repos/issues. Gogs suffers from a remote blind SQL injection vulnerability via label search. Versions 0.3.1-9-g49dc57e through 0.5.6.1024-gf1d8746 are affected. • https://www.exploit-db.com/exploits/35237 http://gogs.io/docs/intro/change_log.html http://packetstormsecurity.com/files/129116/Gogs-Label-Search-Blind-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Nov/31 http://www.exploit-db.com/exploits/35237 https://exchange.xforce.ibmcloud.com/vulnerabilities/98695 https://github.com/gogits/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •