← Back

Gitblit

gitblit

Vendor: Gitblit • 4 CVEs

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2025-50977
1Gitblit
1Gitblit
Sep 9, 2025
Aug 27, 2025
N/A· v4
6.1 MEDIUM· v3
N/A· v2
A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' paramete...Show more
A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks.Show less
CVE-2025-50978
1Gitblit
1Gitblit
Sep 9, 2025
Aug 27, 2025
N/A· v4
6.1 MEDIUM· v3
N/A· v2
In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to exe...Show more
In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient input sanitization of filename elements.Show less
CVE-2022-31268
1Gitblit
1Gitblit
Nov 21, 2024
May 21, 2022
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
CVE-2022-31267
1Gitblit
1Gitblit
Nov 21, 2024
May 21, 2022
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Gitblit 1.9.2 allows privilege escalation via the Config User Service: a control character can be placed in a profile data field, such as an emailAddress%3Atext 'attacker@example.com\n\trole = "#admin"' value.