CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11576
https://notcve.org/view.php?id=CVE-2019-11576
Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password. Gitea, versiones anteriores a 1.8.0, permite 1FA para las cuentas de usuario que han completado la inscripción 2FA. Si se conocen las credenciales de un usuario, entonces un atacante podría enviarlas a la API sin requerir la contraseña única de 2FA. • https://blog.gitea.io/2019/04/gitea-1.8.0-is-released https://github.com/go-gitea/gitea/pull/6674 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 4%CPEs: 3EXPL: 2CVE-2019-11229 – Gitea 1.7.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11229
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. Versiones anteriores a 1.7.6 y 1.8.x anteriores a 1.8-RC3 de models/repo_mirror.go en Gitea maneja mal la configuración de la URL del repositorio espejo, lo que podría producir a una ejecución remota de código. Gitea version 1.7.5 suffers from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/49383 http://packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.html https://github.com/go-gitea/gitea/releases/tag/v1.7.6 https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11228
https://notcve.org/view.php?id=CVE-2019-11228
repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress. Versiones anteriores a 1.7.6 y 1.8.x anteriores a 1.8-RC3 de repo/setting.go en Gitea no validan form.MirrorAddress antes de invocar SaveAddress. • https://github.com/go-gitea/gitea/releases/tag/v1.7.6 https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3 • CWE-20: Improper Input Validation •