Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
Advisories for Golang/Github.com/Gophish/Gophish package
2023
Gophish vulnerable to Denial of Service via crafted payload involving autofocus
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
2022
URL Redirection to Untrusted Site ('Open Redirect')
This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\example.com, browser will redirect user to http://example.com.
Server-Side Request Forgery (SSRF)
Gophish before 0.11.0 allows SSRF attacks.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Gophish through 0.8.0 allows XSS via a username.