Forgejo
Monthly
Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.