CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-13268
https://notcve.org/view.php?id=CVE-2020-13268
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1 Se podría usar una petición especialmente diseñada para confirmar la existencia de archivos alojados en servicios de almacenamiento de objetos, sin revelar su contenido. Esta vulnerabilidad afecta a GitLab CE/EE versiones 12.10 y posteriores hasta 13.0.1 • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13268.json https://gitlab.com/gitlab-org/gitlab/-/issues/214220 https://hackerone.com/reports/848415 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-13267
https://notcve.org/view.php?id=CVE-2020-13267
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1 Una vulnerabilidad de tipo Cross-Site Scripting Almacenado, permitió la ejecución en cargas útiles de Javascript en el Metrics Dashboard en GitLab CE/EE versiones 12.8 y posteriores hasta 13.0.1 • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13267.json https://gitlab.com/gitlab-org/gitlab/-/issues/211956 https://hackerone.com/reports/824773 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-13271
https://notcve.org/view.php?id=CVE-2020-13271
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 Una vulnerabilidad de tipo Cross-Site Scripting Almacenado permitió la ejecución de código Javascript arbitrario en la API blobs en todas las versiones anteriores de GitLab CE/EE hasta 13.0.1 • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13271.json https://gitlab.com/gitlab-org/gitlab/-/issues/200094 https://hackerone.com/reports/672150 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-13266
https://notcve.org/view.php?id=CVE-2020-13266
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions Una autorización no segura en Project Deploy Keys en GitLab CE/EE versiones 12.8 y posteriores hasta 13.0.1, permite a usuarios actualizar los permisos de las claves de despliegue de otros usuarios bajo determinadas condiciones • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json https://gitlab.com/gitlab-org/gitlab/-/issues/208449 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12448
https://notcve.org/view.php?id=CVE-2020-12448
GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. GitLab EE versión 12.8 y posterior, permite una Exposición de Información Confidencial a un Actor No Autorizado por medio de NuGet. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •