Kallithea Security Issues

The Kallithea project takes security issues seriously. There are no publicly known vulnerabilities in the current version of Kallithea, and if a vulnerability is reported to us we work to rapidly fix it. However, some older versions of Kallithea have publicly known vulnerabilities; please upgrade to the current version.

Currently known security issues of older versions:

  • 2015-02-09: CVE-2015-0260: API key of repository's creator exposed by get_repo API method
  • 2015-04-09: CVE-2015-0276: Lack of CSRF attack protection enables gaining unauthorised access to users' accounts
  • 2015-04-14: CVE-2015-1864: Multiple HTML and Javascript injections
  • 2015-10-01: CVE-2015-5285: HTTP header injection
  • 2016-04-13: CVE-2016-3114: Privilege escalation
  • 2016-04-14: CVE-2016-3691: CSRF protection bypass
  • 2018-06-06: SZUREK-1: Incorrect access control
  • 2018-06-06: SZUREK-2: Incorrect access control
  • 2018-06-06: SZUREK-3: Directory traversal
  • 2018-06-06: SZUREK-4: Cross-site scripting (XSS)
  • 2018-10-30: HOGG-1: Cross-site scripting (XSS)
  • 2019-03-03: HOGG-2: Cross-site scripting (XSS)
  • 2019-03-03: HOGG-3: Cross-site scripting (XSS)
  • 2019-03-03: HOGG-4: Cross-site scripting (XSS)
  • 2019-03-03: HOGG-5: Cross-site scripting (XSS)
  • 2019-05-19: HOGG-6: Cross-site scripting (XSS)
  • 2020-12-01: STYPR-1: Cross-Site Scripting (XSS)
  • 2020-12-01: STYPR-2: Server-side Request Forgery (SSRF)
  • 2021-05-25: KIILERICH-1: IP Restriction Bypass

If you discover a vulnerability, please contact us at security@kallithea-scm.org