Gitea ≫ Gitea

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

In Gitea before 1.21.2, an anonymous user can visit a private user's project.

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

Gitea before 1.25.2 mishandles authorization for deletion of releases.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.