CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2023-6371 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2023-6371
28 Mar 2024 — An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones anteriores a 16.8.5, todas las versiones desde 16.9 anteriores a 16.9.3, todas las versiones desde 16.10 anteriores a 16.10.1. U... • https://gitlab.com/gitlab-org/gitlab/-/issues/433021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-2818 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2024-2818
28 Mar 2024 — An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones anteriores a 16.8.5, todas las versiones desde 16.9 anteriores a 16.9.3, todas las versiones desde 16.10 anteriores a 16.10.1. Era posible q... • https://gitlab.com/gitlab-org/gitlab/-/issues/434803 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 1CVE-2024-0199 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-0199
07 Mar 2024 — An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. Se descubrió una vulnerabilidad de omisión de autorización en GitLab que afecta a las versiones 11.3 anteriores a 16.7.7, 16.7.6 anteriores a 16.8.4 y 16.8.3 anteriores a 16.9.2. Un atacante podría eludir a CODEOWNERS utilizando un pa... • https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 1CVE-2024-1299 – Privilege Chaining in GitLab
https://notcve.org/view.php?id=CVE-2024-1299
07 Mar 2024 — A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges. Se descubrió una vulnerabilidad de escalada de privilegios en GitLab que afecta a las versiones 16.8 anteriores a 16.8.4 y 16.9 anteriores a 16.9.2. Era posible que un usuario con el rol personalizado `manage_group_access_tokens` rotara tokens de acceso d... • https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released • CWE-268: Privilege Chaining CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2023-4895 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-4895
22 Feb 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects Se descubrió un problema en GitLab EE que afecta a todas las versiones desde 12.0 a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Esta vuln... • https://gitlab.com/gitlab-org/gitlab/-/issues/424766 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-6477 – Incorrect Privilege Assignment in GitLab
https://notcve.org/view.php?id=CVE-2023-6477
21 Feb 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. Se descubrió un problema en GitLab EE que afecta a todas las versiones desde 16.5 anteriores a 16.7.6, todas las versione... • https://gitlab.com/gitlab-org/gitlab/-/issues/433463 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 1CVE-2024-0410 – Improper Enforcement of Behavioral Workflow in GitLab
https://notcve.org/view.php?id=CVE-2024-0410
21 Feb 2024 — An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. Se descubrió una vulnerabilidad de omisión de autorización en GitLab que afecta a las versiones 15.1 anteriores a 16.7.6, 16.8 anteriores a 16.8.3 y 16.9 anteriores a 16.9.1. Un desarrollador podría eludir las aprobaciones de CODEOWNERS creando un conflicto de fusión. • https://gitlab.com/gitlab-org/gitlab/-/issues/437988 • CWE-284: Improper Access Control CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1451 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2024-1451
21 Feb 2024 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims." Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde la 16.9 hasta la 16.9.1. un payload manipulado y agregado a la página de perfil del usuario podría generar un XSS almacenado en el lado del cliente, lo que permiti... • https://gitlab.com/gitlab-org/gitlab/-/issues/441457 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-1525 – Authentication Bypass Using an Alternate Path or Channel in GitLab
https://notcve.org/view.php?id=CVE-2024-1525
21 Feb 2024 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde 16.1 anteriores a 16.... • https://gitlab.com/gitlab-org/gitlab/-/issues/438144 • CWE-284: Improper Access Control CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-0861 – Direct Request ('Forced Browsing') in GitLab
https://notcve.org/view.php?id=CVE-2024-0861
21 Feb 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions. Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde 16.4 anteriores a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Los us... • https://gitlab.com/gitlab-org/gitlab/-/issues/439240 • CWE-285: Improper Authorization CWE-425: Direct Request ('Forced Browsing') •