PT-2021-17853 · Gitea+1 · Gitea+1

Jolheiser

Published

2020-12-11

Updated

2024-08-21

CVE-2021-28378

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Gitea versions 1.12.x through 1.13.3 Gitea versions 1.1.0 through 1.12.5

Description: The issue allows for cross-site scripting (XSS) via certain issue data in some situations. It also enables authenticated remote code execution through the git hook feature.

Recommendations: For Gitea versions 1.12.x through 1.13.3, update to version 1.13.4 or later. For Gitea versions 1.1.0 through 1.12.5, consider disabling the git hook feature as a temporary workaround until a patch is available.

Exploit

Fix

OS Command Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-79

Related Identifiers

ALT-PU-2020-3490

ALT-PU-2020-3506

ALT-PU-2021-1612

ALT-PU-2022-1257

BIT-GITEA-2020-14144

BIT-GITEA-2021-28378

CVE-2021-28378

GHSA-3H6C-C475-JM7V

GHSA-G95P-88P4-76CM

GO-2022-0832

Affected Products

Alt Linux

Gitea

PT-2021-17853 · Gitea+1 · Gitea+1

CVE-2021-28378

Weakness Enumeration

Related Identifiers

Affected Products

References · 29