Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Gitea
(Gitea)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 33 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-03-15 | CVE-2021-28378 | Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations. | Gitea | 5.4 | ||
| 2021-02-05 | CVE-2021-3382 | Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path. | Gitea | 7.5 | ||
| 2019-04-15 | CVE-2019-11229 | models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. | Gitea | 8.8 | ||
| 2020-11-24 | CVE-2020-28991 | Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go. | Gitea | 9.8 | ||
| 2020-05-20 | CVE-2020-13246 | An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another. | Gitea | N/A | ||
| 2019-07-18 | CVE-2019-1010261 | Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later. | Gitea | 6.1 | ||
| 2019-07-11 | CVE-2019-1010314 | Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page. | Gitea | 6.1 | ||
| 2019-04-28 | CVE-2019-11576 | Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password. | Gitea | 9.8 | ||
| 2019-04-15 | CVE-2019-11228 | repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress. | Gitea | 7.5 | ||
| 2019-02-04 | CVE-2019-1000002 | Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the attacker deleting files outside the repository he/she has access to. This attack appears to be exploitable via the attacker must get write access to "any" repository including self-created ones.. This vulnerability appears to have been fixed in 1.6.3, 1.7.0-rc2. | Gitea | 6.5 |