CVSS: 6.5EPSS: %CPEs: 3EXPL: 1CVE-2024-8237 – Inefficient Algorithmic Complexity in GitLab
https://notcve.org/view.php?id=CVE-2024-8237
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file. • https://gitlab.com/gitlab-org/gitlab/-/issues/480900 https://hackerone.com/reports/2648665 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 4.2EPSS: %CPEs: 3EXPL: 0CVE-2024-11668 – Insufficient Session Expiration in GitLab
https://notcve.org/view.php?id=CVE-2024-11668
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results. • https://gitlab.com/gitlab-org/gitlab/-/issues/456922 • CWE-613: Insufficient Session Expiration •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-9633 – Incorrect Ownership Assignment in GitLab
https://notcve.org/view.php?id=CVE-2024-9633
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks. • https://gitlab.com/gitlab-org/gitlab/-/issues/498257 https://hackerone.com/reports/2759470 • CWE-708: Incorrect Ownership Assignment •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2024-7404 – Improper Restriction of Rendered UI Layers or Frames in GitLab
https://notcve.org/view.php?id=CVE-2024-7404
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. • https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#device-oauth-flow-allows-for-cross-window-forgery https://gitlab.com/gitlab-org/gitlab/-/issues/476670 https://hackerone.com/reports/2627925 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8648 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2024-8648
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. • https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#stored-xss-through-javascript-url-in-analytics-dashboards https://gitlab.com/gitlab-org/gitlab/-/issues/486220 https://hackerone.com/reports/2683863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •