Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
References
Link | Resource |
---|---|
https://github.com/gogs/gogs/issues/5469 | Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-11-04 05:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-18925
Mitre link : CVE-2018-18925
CVE.ORG link : CVE-2018-18925
JSON object : View
Products Affected
gogs
- gogs
CWE
CWE-384
Session Fixation