Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.
AnalysisAI
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Affected products include: Forgejo. Version information: before 1.20.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissio
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), t
Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today