Описание
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.11.66 (включая)
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
EPSS
Процентиль: 100%
0.93737
Критический
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-384
Связанные уязвимости
CVSS3: 9.8
github
больше 3 лет назад
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
EPSS
Процентиль: 100%
0.93737
Критический
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-384