The Kallithea project takes security issues seriously. There are no publicly known vulnerabilities in the current version of Kallithea, and if a vulnerability is reported to us we work to rapidly fix it. However, some older versions of Kallithea have publicly known vulnerabilities; please upgrade to the current version.
Currently known security issues of older versions:
- 2015-02-09: CVE-2015-0260: API key of repository's creator exposed by get_repo API method
- 2015-04-09: CVE-2015-0276: Lack of CSRF attack protection enables gaining unauthorised access to users' accounts
- 2015-04-14: CVE-2015-1864: Multiple HTML and Javascript injections
- 2015-10-01: CVE-2015-5285: HTTP header injection
- 2016-04-13: CVE-2016-3114: Privilege escalation
- 2016-04-14: CVE-2016-3691: CSRF protection bypass
- 2018-06-06: SZUREK-1: Incorrect access control
- 2018-06-06: SZUREK-2: Incorrect access control
- 2018-06-06: SZUREK-3: Directory traversal
- 2018-06-06: SZUREK-4: Cross-site scripting (XSS)
- 2018-10-30: HOGG-1: Cross-site scripting (XSS)
- 2019-03-03: HOGG-2: Cross-site scripting (XSS)
- 2019-03-03: HOGG-3: Cross-site scripting (XSS)
- 2019-03-03: HOGG-4: Cross-site scripting (XSS)
- 2019-03-03: HOGG-5: Cross-site scripting (XSS)
- 2019-05-19: HOGG-6: Cross-site scripting (XSS)
- 2020-12-01: STYPR-1: Cross-Site Scripting (XSS)
- 2020-12-01: STYPR-2: Server-side Request Forgery (SSRF)
- 2021-05-25: KIILERICH-1: IP Restriction Bypass
If you discover a vulnerability, please contact us at security@kallithea-scm.org