CVE-2023-49946

Name of the Vulnerable Software and Affected Versions Forgejo versions prior to 1.20.5-1

Description The issue allows remote attackers to perform unauthorized actions due to certain endpoints not checking whether an object belongs to a repository for which permissions are being checked. This enables attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.

Recommendations For versions prior to 1.20.5-1, update to version 1.20.5-1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive endpoints until the update is applied.