CVE-2014-8681

Name of the Vulnerable Software and Affected Versions Gogs (aka Go Git Service) versions 0.3.1-9 through 0.5.6.x

Description The issue is related to a SQL injection vulnerability. It allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues. The vulnerability is due to improper sanitization of user input, making certain methods vulnerable to SQL injection if used with unsanitized user input.

Recommendations For Gogs (aka Go Git Service) versions 0.3.1-9 through 0.5.6.x, update to version 0.5.6.1025 Beta or later to resolve the issue. As a temporary workaround, consider sanitizing user input before passing it to vulnerable methods, such as the GetIssues function in models/issue.go. Restrict access to the label parameter in the user/repos/issues endpoint to minimize the risk of exploitation.