
CVE-2017-12426
https://notcve.org/view.php?id=CVE-2017-12426
14 Aug 2017 — GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import. GitLab Community Edition (CE) y Enterprise Edition (EE) en versiones anteriores a la 8.17.8, 9.0.x en versiones anteriores a la 9.0.13, 9.1.x en versiones anteriores a la 9.1.10, 9.2.x en versiones anteriores a la 9.2.10, 9.3.x en ver... • https://github.com/sm-paul-schuette/CVE-2017-12426 • CWE-20: Improper Input Validation •

CVE-2017-11437
https://notcve.org/view.php?id=CVE-2017-11437
02 Aug 2017 — GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users. GitLab Enterprise Edition (EE) en sus versiones anteriores a la 8.17.7 y las versiones 9.0.11, 9.1.8, 9.2.8 y 9.3.8 permite que un usuario autenticado con la capacidad para crear un proyecto utilice la función de replicación para poder acceder a repositorios de otros usuarios. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVE-2017-11438
https://notcve.org/view.php?id=CVE-2017-11438
02 Aug 2017 — GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup. GitLab Community Edition (CE) y Enterprise Edition (EE) anteriores a la 9.0.11, 9.0.11, 9.1.8 y 9.2.8 permiten que un usuario autenticado con la capacidad para crear un grupo se añada a sí mismo en cualquier proyecto que se sitúe dentro de un subgrupo. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-269: Improper Privilege Management •

CVE-2017-8778
https://notcve.org/view.php?id=CVE-2017-8778
04 May 2017 — GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document. GitLab anteriores a 8.14.9, 8.15.x anteriores a 8.15.6 y 8.16.x anteriores a 8.16.5 tienen XSS a través de un elemento SCRIPT en un archivo adjunto o un avatar que es un documento SVG. • https://about.gitlab.com/2017/02/15/gitlab-8-dot-16-dot-5-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2016-9469
https://notcve.org/view.php?id=CVE-2016-9469
28 Mar 2017 — Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3... • https://about.gitlab.com/2016/12/05/cve-2016-9469 • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •

CVE-2017-0882
https://notcve.org/view.php?id=CVE-2017-0882
28 Mar 2017 — Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. Multiples versiones de GitLab exponen credenciales de usuario confidenciales al asignar un usuario a una solicitud de emisión o de combinación. Una correción fue incluida en las versiones 8.15.8, 8.16.7 y 8.17.4, que se publicaron el 20 de marzo de 2017 a las 23:59 UTC. • http://www.securityfocus.com/bid/97157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2016-9086
https://notcve.org/view.php?id=CVE-2016-9086
03 Nov 2016 — GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an... • http://www.securityfocus.com/bid/94136 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2016-4340 – GitLab - 'impersonate' Feature Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-4340
16 Aug 2016 — The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors. La característica de suplantación en Gitlab 8.7.0, 8.6.0 hasta la versión 8.6.7, 8.5.0 hasta la versión 8.5.11, 8.4.0 hasta la versión 8.4.9, 8.3.0 hasta la versión 8.3.8 y 8.2.0 hasta la versión 8.2.4 permite a usuarios remotos autenticados para "iniciar sesión" como cual... • https://packetstorm.news/files/id/138368 • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2013-4489
https://notcve.org/view.php?id=CVE-2013-4489
17 May 2014 — The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature. La gema Grit para Ruby, utilizado en GitLab 5.2 anterior a 5.4.1 y 6.x anterior a 6.2.3, permite a usuarios remotos autenticados ejecutar comandos arbitrarios, tal y como fue demostrado por el cuadro de búsqueda para la funcionalidad de búsqueda de código de GitLab. • https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release •

CVE-2014-3456
https://notcve.org/view.php?id=CVE-2014-3456
13 May 2014 — Cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) 6.6.0 before 6.6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en GitLab Enterprise Edition (EE) 6.6.0 anterior a 6.6.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • https://www.gitlab.com/2014/02/27/gitlab-ee-6-6-2-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •