Skip to main content

Gogs CVE-2022-1464

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2022-05-05 security@huntr.dev
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 05, 2022 - 14:15 nvd
MEDIUM 5.4

DescriptionNVD

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

AnalysisAI

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account . Affected products include: Gogs. Version information: prior to 0.12.7..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Gogs

View all
CVE-2014-8682 HIGH POC
7.5 Nov 21

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow r

CVE-2020-15867 HIGH POC
7.2 Oct 16

The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. Rated high severity (C

CVE-2024-39932 CRITICAL POC
9.9 Jul 04

Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this

CVE-2024-39930 CRITICAL POC
9.9 Jul 04

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code

CVE-2025-64111 CRITICAL POC
9.8 Feb 06

Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafte

CVE-2026-25242 CRITICAL POC
9.8 Feb 19

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload

CVE-2022-1986 CRITICAL POC
9.8 Jun 09

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

CVE-2026-25921 CRITICAL POC
9.3 Mar 05

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

CVE-2022-1992 CRITICAL POC
9.1 Jun 09

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2022-0871 CRITICAL POC
9.1 Mar 11

Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2022-32174 CRITICAL POC
9.0 Oct 11

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account t

Share

CVE-2022-1464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy