Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
References
Link | Resource |
---|---|
https://github.com/gogs/gogs/issues/5469 | Patch Third Party Advisory |
https://github.com/gogs/gogs/issues/5469 | Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 03:56
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/gogs/gogs/issues/5469 - Patch, Third Party Advisory |
Information
Published : 2018-11-04 05:29
Updated : 2024-11-21 03:56
NVD link : CVE-2018-18925
Mitre link : CVE-2018-18925
CVE.ORG link : CVE-2018-18925
JSON object : View
Products Affected
gogs
- gogs
CWE
CWE-384
Session Fixation