CVE-2018-18925

Name of the Vulnerable Software and Affected Versions Gogs version 0.11.66

Description The issue allows remote code execution due to improper validation of session IDs. This can be exploited through a ".." session-file forgery in the file session provider, specifically in the file.go file. The problem is related to session ID handling in the go-macaron/session code for Macaron.

Recommendations For Gogs version 0.11.66, consider disabling the session ID handling functionality in the go-macaron/session code for Macaron until a proper fix is available. Restrict access to the file session provider to minimize the risk of exploitation. Avoid using the file.go file for session management until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.