Vulnerability Details CVE-2023-49946
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.8%
CVSS Severity
CVSS v3 Score 9.1
References
- https://about.gitea.com/security
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md
- https://forgejo.org/2023-11-release-v1-20-5-1/
- https://github.com/gogs/gogs/security
- https://about.gitea.com/security
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md
- https://forgejo.org/2023-11-release-v1-20-5-1/
- https://github.com/gogs/gogs/security