CVE-2018-19569
https://notcve.org/view.php?id=CVE-2018-19569
GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope. CE/EE, versiones 8.8 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a una vulnerabilidad de autorización que permite el acceso a la interfaz de usuario web como usuario mediante un Token de Acceso Personal de cualquier ámbito. • http://www.securityfocus.com/bid/109118 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/50319 • CWE-285: Improper Authorization •
CVE-2018-19575
https://notcve.org/view.php?id=CVE-2018-19575
GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. CE/EE, versiones 10.1 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a un problema de referencia de objeto directo no seguro que permite al usuario realizar comentarios sobre un problema bloqueado. • http://www.securityfocus.com/bid/109121 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/52523 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2018-19576
https://notcve.org/view.php?id=CVE-2018-19576
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. CE/EE, versiones 8.6 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a un problema de control de acceso que permite a un usuario Guest realizar cambios o eliminar sus propios comentarios sobre un problema, después de que el problema se haya hecho Confidencial. • https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/51238 • CWE-284: Improper Access Control •
CVE-2018-19572
https://notcve.org/view.php?id=CVE-2018-19572
GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11. CE versión 8.17 y posteriores y EE versión 8.3 y posteriores de GitLab, presenta una condición de carrera de tiempo de comprobación en el tiempo de uso de un symlink que permitiría el acceso no autorizado a archivos en el entorno chroot de Páginas de GitLab. Esto se corrige en las versiones 11.5.1, 11.4.8 y 11.3.11. • https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-pages/issues/98 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-19570
https://notcve.org/view.php?id=CVE-2018-19570
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. CE/EE, versiones 11.3 anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a una vulnerabilidad de tipo XSS en los campos Markdown por medio de etiquetas HTML no reconocidas. • http://www.securityfocus.com/bid/109169 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/52392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •