CVE-2023-5933 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
https://notcve.org/view.php?id=CVE-2023-5933
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones posteriores a 13.7 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. La sanitización inadecuada de la entrada del nombre de usuario permite solicitudes PUT de API arbitrarias. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430236 https://hackerone.com/reports/2225710 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-0456 – Direct Request ('Forced Browsing') in GitLab
https://notcve.org/view.php?id=CVE-2024-0456
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project Existe una vulnerabilidad de autorización en las versiones de GitLab 14.0 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. Un atacante no autorizado puede asignar usuarios arbitrarios a los MR que crearon dentro del proyecto. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430726 • CWE-285: Improper Authorization CWE-425: Direct Request ('Forced Browsing') •
CVE-2024-0402 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
https://notcve.org/view.php?id=CVE-2024-0402
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 16.0 anterior a 16.6.6, 16.7 anterior a 16.7.4 y 16.8 anterior a 16.8.1, lo que permite a un usuario autenticado escribir archivos en ubicaciones arbitrarias en el servidor GitLab mientras crea un workspace. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/437819 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •