FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-29 10:45:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
482bb980-99a3-11ee-b5f7-6bd56600d90cgitea -- missing permission checks

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.


Discovery 2023-08-30
Entry 2023-09-10
gitea
< 1.21.2

https://github.com/go-gitea/gitea/releases/tag/v1.21.2
5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2gitea -- Fix XSS vulnerabilities

Problem Description:

  • The Wiki page did not sanitize author name
  • the reviewer name on a "dismiss review" comment is also affected
  • the migration page has some spots

Discovery 2024-02-23
Entry 2024-02-24
gitea
< 1.21.6

https://blog.gitea.com/release-of-1.21.6/
4061a4b2-4fb1-11ee-acc7-0151f07bc899gitea -- block user account creation from blocked email domains

The Gitea team reports:

check blocklist for emails when adding them to account


Discovery 2023-08-30
Entry 2023-09-10
gitea
< 1.20.3

https://blog.gitea.com/release-of-1.20.4
https://github.com/go-gitea/gitea/releases/tag/v1.20.4
b2765c89-a052-11ee-bed2-596753f1a87cgitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

The Gitea team reports:

Update golang.org/x/crypto


Discovery 2023-12-19
Entry 2023-12-21
gitea
< 1.21.3

https://github.com/go-gitea/gitea/releases/tag/v1.21.3
bd7592a1-cbfd-11ee-a42a-5404a6f3ca32gitea -- Prevent anonymous container access

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.


Discovery 2024-01-24
Entry 2024-02-15
gitea
< 1.21.5

https://blog.gitea.com/release-of-1.21.5/
ab0bab3c-2927-11ee-8608-07b8d3947721gitea -- Disallow dangerous URL schemes

The Gitea team reports:

Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed


Discovery 2023-06-18
Entry 2023-07-23
gitea
< 1.20.1

https://blog.gitea.com/release-of-1.20.1
https://github.com/go-gitea/gitea/releases/tag/v1.20.1
36a37c92-44b1-11ee-b091-6162c1274384gitea -- information disclosure

The Gitea team reports:

Fix API leaking Usermail if not logged in

The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.


Discovery 2023-06-06
Entry 2023-08-27
gitea
< 1.20.3

https://blog.gitea.com/release-of-1.20.3
https://github.com/go-gitea/gitea/releases/tag/v1.20.3