cpe:/a:gitlist:gitlist:0.1 cpe:/a:gitlist:gitlist:0.2 cpe:/a:gitlist:gitlist:0.3 cpe:/a:gitlist:gitlist:0.4.0 CVE-2014-4511 2014-07-22T10:55:09.770-04:00 2018-08-13T17:47:49.010-04:00 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL http://nvd.nist.gov 2014-07-22T11:33:45.003-04:00 EXPLOIT-DB 33929 EXPLOIT-DB 33990 MISC http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ MISC http://packetstormsecurity.com/files/127281/Gitlist-0.4.0-Remote-Code-Execution.html MISC http://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.html CONFIRM https://groups.google.com/forum/#!topic/gitlist/Hw_KdZfA4js Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.