CVE-2014-4511

Gitlist <0.5.0 - RCE

Title source: llm

Description

Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/33990
exploitdb WORKING POC VERIFIED
by drone · pythonremotemultiple
https://www.exploit-db.com/exploits/33929
nomisec WORKING POC
by michaelsss1 · poc
https://github.com/michaelsss1/gitlist-RCE
metasploit WORKING POC EXCELLENT
by drone · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gitlist_exec.rb

References (6)

Scores

EPSS 0.8662
EPSS Percentile 99.4%

Details

Status published
Products (4)
gitlist/gitlist 0.1
gitlist/gitlist 0.2
gitlist/gitlist 0.3
gitlist/gitlist < 0.4.0
Published Jul 22, 2014
Tracked Since Feb 18, 2026