In Forgejo prior to 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote malicious users to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
forgejo forgejo |