In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-12-03T00:00:00
Updated: 2024-08-02T22:09:49.457Z
Reserved: 2023-12-03T00:00:00
Link: CVE-2023-49946
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-12-03T19:15:08.227
Modified: 2023-12-07T14:52:07.533
Link: CVE-2023-49946
Redhat
No data.