CVE-2014-8682

NUCLEI

Gogs 0.3.1-9-0.5.x - SQL Injection

Title source: llm

Description

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.

Exploits (2)

exploitdb WRITEUP

by Timo Schmid · textwebappsmultiple

https://www.exploit-db.com/exploits/35238

View Code ZIP pw:eip

nomisec WRITEUP

by nihal1306 · poc

https://github.com/nihal1306/gogs

View Code ZIP pw:eip

Nuclei Templates (1)

Gogs (Go Git Service) - SQL Injection

HIGHby dhiyaneshDK,daffainfo

Shodan: title:"Sign In - Gogs" || http.title:"sign in - gogs" || cpe:"cpe:2.3:a:gogs:gogs"

FOFA: title="sign in - gogs"

References (8)

[Various Sources] http://gogs.io/docs/intro/change_log.html

[Exploit] http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html

[Exploit] http://seclists.org/fulldisclosure/2014/Nov/33

[Exploit] http://www.exploit-db.com/exploits/35238

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/533995/100/0/threaded

[Exploit] http://www.securityfocus.com/bid/71187

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/98694

[Exploit] https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d

Scores

EPSS 0.7689

EPSS Percentile 99.0%

Details

CWE

CWE-89

Status published

Products (7)

gogits/gogs 0.3.1-9

gogits/gogs 0.4.1

gogits/gogs 0.4.2

gogits/gogs 0.5.0

gogits/gogs 0.5.2

gogits/gogs < 0.5.5

gogs.io/gogs 0.3.1 - 0.5.8Go

Published Nov 21, 2014

Tracked Since Feb 18, 2026