Shodan
Vulnerabilities
Vulnerable Software
Gitea:  >> Gitea  >> 1.0.2  Security Vulnerabilities
CVE-2021-45330
An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
CVSS Score
9.8
EPSS Score
0.011
Published
2022-02-09
CVE-2021-45329
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-02-08
CVE-2021-45328
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-08
CVE-2021-45325
Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-02-08
CVE-2021-45326
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-02-08
CVE-2021-45327
Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-02-08
CVE-2020-28991
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-11-24
CVE-2020-13246
An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.
CVSS Score
7.5
EPSS Score
0.008
Published
2020-05-20
CVE-2019-1010261
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-07-18
CVE-2019-10330
Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-05-31


Products
Pricing
Contact Us

Shodan ® - All rights reserved