CVE-2020-13267
https://notcve.org/view.php?id=CVE-2020-13267
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1 Una vulnerabilidad de tipo Cross-Site Scripting Almacenado, permitió la ejecución en cargas útiles de Javascript en el Metrics Dashboard en GitLab CE/EE versiones 12.8 y posteriores hasta 13.0.1 • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13267.json https://gitlab.com/gitlab-org/gitlab/-/issues/211956 https://hackerone.com/reports/824773 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13271
https://notcve.org/view.php?id=CVE-2020-13271
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 Una vulnerabilidad de tipo Cross-Site Scripting Almacenado permitió la ejecución de código Javascript arbitrario en la API blobs en todas las versiones anteriores de GitLab CE/EE hasta 13.0.1 • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13271.json https://gitlab.com/gitlab-org/gitlab/-/issues/200094 https://hackerone.com/reports/672150 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13266
https://notcve.org/view.php?id=CVE-2020-13266
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions Una autorización no segura en Project Deploy Keys en GitLab CE/EE versiones 12.8 y posteriores hasta 13.0.1, permite a usuarios actualizar los permisos de las claves de despliegue de otros usuarios bajo determinadas condiciones • https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json https://gitlab.com/gitlab-org/gitlab/-/issues/208449 • CWE-862: Missing Authorization •
CVE-2020-12448
https://notcve.org/view.php?id=CVE-2020-12448
GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. GitLab EE versión 12.8 y posterior, permite una Exposición de Información Confidencial a un Actor No Autorizado por medio de NuGet. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-12275
https://notcve.org/view.php?id=CVE-2020-12275
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API. GitLab versiones 12.6 hasta 12.9 es vulnerable a una escalada de privilegios que permite a un usuario externo crear un fragmento personal por medio de la API. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released •