CVE-2018-18925
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Gogs 0.11.66 permite la ejecución remota de código debido a que no valida correctamente los ID de sesión, tal y como queda demostrado por una falsificación de archivos de sesión ".." en el proveedor de sesión de archivos en file.go. Esto está relacionado con el manejo de ID de sesión en el código go-macaron/session para Macaron.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-11-04 CVE Reserved
- 2018-11-04 CVE Published
- 2021-09-14 First Exploit
- 2024-08-05 CVE Updated
- 2024-10-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-384: Session Fixation
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/j4k0m/CVE-2018-18925 | 2021-09-14 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/gogs/gogs/issues/5469 | 2019-01-29 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gogs Search vendor "Gogs" | Gogs Search vendor "Gogs" for product "Gogs" | <= 0.11.66 Search vendor "Gogs" for product "Gogs" and version " <= 0.11.66" | - |
Affected
| ||||||