CVE-2018-18925

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-18925

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18925.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-18925

Published

2018-11-04T05:29:00.397Z

Modified

2026-04-10T04:07:24.028299Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.

References

https://github.com/gogs/gogs/issues/5469

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type

GIT

Repo

https://github.com/gogs/gogs

Events

Introduced

Last affected

3a4c981e3167875a3b60d0cee00ee85272608439

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.11.66"
        }
    ]
}

Affected versions

v0.*

v0.10

v0.10.18

v0.10.8

v0.10rc

v0.11

v0.11.19

v0.11.29

v0.11.33

v0.11.34

v0.11.4

v0.11.43

v0.11.53

v0.11.66

v0.11rc

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.11

v0.5.13

v0.5.2

v0.5.5

v0.5.8

v0.5.9

v0.6.1

v0.6.15

v0.6.3

v0.6.9

v0.7.0

v0.7.19

v0.7.22

v0.7.33

v0.7.6

v0.8.0

v0.8.10

v0.8.25

v0.8.43

v0.9.0

v0.9.113

v0.9.128

v0.9.13

v0.9.141

v0.9.46

v0.9.48

v0.9.60

v0.9.71

v0.9.97

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18925.json"