ghsa

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

### Summary The `ArchiveReader.extractContents()` function used by `cctl image load` and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. ### Details The code in question is: https://github.com/apple/containerization/blob/main/Sources/ContainerizationArchive/Reader.swift#L180. ```swift /// Extracts the contents of an archive to the provided directory. /// Currently only handles regular files and directories present in the archive. public func extractContents(to directory: URL) throws { let fm = FileManager.default var foundEntry = false for (entry, data) in self { guard let p = entry.path else { continue } foundEntry = true let type = entry.fileType let target = directory.appending(path: p) switc...

**Summary** An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. **Affected Product** - Ecosystem: Packagist (Craft CMS plugin) - Package: solspace/craft-freeform - Version: <= 5.14.6 (latest observed). Likely all 5.x until patched. **Details** - Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization. - Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1). **PoCs** - Label-based X...