Gophish
CVE-2019-16146
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Gophish through 0.8.0 allows XSS via a username.
AnalysisAI
Gophish through 0.8.0 allows XSS via a username. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Affected products include: Getgophish Gophish. Version information: through 0.8.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. Rated high severity (CVSS 7.8),
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Rated high severity (CVSS 7.5), this vulnerab
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phis
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via
This affects the package github.com/gophish/gophish before 0.12.0. Rated medium severity (CVSS 5.4), this vulnerability
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. Rated m
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. Rated med
Gophish before 0.11.0 allows SSRF attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. Rated medium severity (CVSS 6.1), this vu
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today