Skip to main content

Gogs CVE-2018-17031

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-09-14 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 14, 2018 - 02:29 nvd
MEDIUM 6.1

DescriptionNVD

In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.

AnalysisAI

In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent. Affected products include: Gogs.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Gogs

View all
CVE-2014-8682 HIGH POC
7.5 Nov 21

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow r

CVE-2020-15867 HIGH POC
7.2 Oct 16

The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. Rated high severity (C

CVE-2024-39932 CRITICAL POC
9.9 Jul 04

Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this

CVE-2024-39930 CRITICAL POC
9.9 Jul 04

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code

CVE-2025-64111 CRITICAL POC
9.8 Feb 06

Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafte

CVE-2026-25242 CRITICAL POC
9.8 Feb 19

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload

CVE-2022-1986 CRITICAL POC
9.8 Jun 09

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

CVE-2026-25921 CRITICAL POC
9.3 Mar 05

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

CVE-2022-1992 CRITICAL POC
9.1 Jun 09

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2022-0871 CRITICAL POC
9.1 Mar 11

Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2022-32174 CRITICAL POC
9.0 Oct 11

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account t

Share

CVE-2018-17031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy