CVE-2025-47943

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-47943
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40
https://github.com/gogs/gogs/releases/tag/v0.13.3
https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf
https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
Configurations

No configuration.

History

30 Jul 2025, 18:15

Type Values Removed Values Added
References
  • () https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf -

26 Jun 2025, 18:58

Type Values Removed Values Added
Summary
  • (es) Gogs es un servicio Git autoalojado de código abierto. En la versión 0.14.0+dev y anteriores de la aplicación, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en Gogs, que permite la ejecución de código Javascript del lado del cliente. La vulnerabilidad se debe al uso de un componente vulnerable y obsoleto: pdfjs-1.4.20, ubicado en public/plugins/. Este problema se ha corregido para gogs.io/gogs en la versión 0.13.3.

24 Jun 2025, 22:15

Type Values Removed Values Added
References () https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v - () https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v -

24 Jun 2025, 04:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-24 04:15

Updated : 2025-07-30 18:15

NVD link : CVE-2025-47943

Mitre link : CVE-2025-47943

CVE.ORG link : CVE-2025-47943

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')