CVE-2018-18925 (NVD)

2018-11-04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.

Products Gogs
Type Session Fixation (CWE-384)
First patch - None (likely due to unavailable code)
Links https://github.com/gogs/gogs/issues/5469