Shodan
Vulnerabilities
Vulnerable Software
Gitea:  >> Gitea  >> 1.0.0  Security Vulnerabilities
CVE-2021-45330
An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
CVSS Score
9.8
EPSS Score
0.013
Published
2022-02-09
CVE-2021-45329
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-02-08
CVE-2021-45328
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-08
CVE-2021-45325
Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-02-08
CVE-2021-45326
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-02-08
CVE-2021-45327
Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-02-08
CVE-2020-28991
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-11-24
CVE-2020-13246
An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-05-20
CVE-2019-1010261
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-07-18
CVE-2019-11576
Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-04-28


Products
Pricing
Contact Us

Shodan ® - All rights reserved