CVE-2023-6371 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2023-6371
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones anteriores a 16.8.5, todas las versiones desde 16.9 anteriores a 16.9.3, todas las versiones desde 16.10 anteriores a 16.10.1. Una página wiki con un payload manipulado puede generar un XSS almacenado, lo que permite a los atacantes realizar acciones arbitrarias en nombre de las víctimas. • https://gitlab.com/gitlab-org/gitlab/-/issues/433021 https://hackerone.com/reports/2257080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-2818 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2024-2818
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones anteriores a 16.8.5, todas las versiones desde 16.9 anteriores a 16.9.3, todas las versiones desde 16.10 anteriores a 16.10.1. Era posible que un atacante provocara una denegación de servicio utilizando un parámetro de descripción manipulado maliciosamente para las etiquetas. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of GitLab. • https://gitlab.com/gitlab-org/gitlab/-/issues/434803 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-0199 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-0199
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. Se descubrió una vulnerabilidad de omisión de autorización en GitLab que afecta a las versiones 11.3 anteriores a 16.7.7, 16.7.6 anteriores a 16.8.4 y 16.8.3 anteriores a 16.9.2. Un atacante podría eludir a CODEOWNERS utilizando un payload malicioso en una rama de funciones antigua para realizar acciones maliciosas. • https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released https://gitlab.com/gitlab-org/gitlab/-/issues/436977 https://hackerone.com/reports/2295423 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVE-2023-4895 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-4895
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects Se descubrió un problema en GitLab EE que afecta a todas las versiones desde 12.0 a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Esta vulnerabilidad permite omitir la configuración de 'restricción de IP de grupo' para acceder a los detalles del entorno de los proyectos. • https://gitlab.com/gitlab-org/gitlab/-/issues/424766 https://hackerone.com/reports/2134787 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2024-0410 – Improper Enforcement of Behavioral Workflow in GitLab
https://notcve.org/view.php?id=CVE-2024-0410
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. Se descubrió una vulnerabilidad de omisión de autorización en GitLab que afecta a las versiones 15.1 anteriores a 16.7.6, 16.8 anteriores a 16.8.3 y 16.9 anteriores a 16.9.1. Un desarrollador podría eludir las aprobaciones de CODEOWNERS creando un conflicto de fusión. • https://gitlab.com/gitlab-org/gitlab/-/issues/437988 https://hackerone.com/reports/2296778 • CWE-284: Improper Access Control CWE-841: Improper Enforcement of Behavioral Workflow •