CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0652 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-0652
13 Mar 2025 — An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. • https://gitlab.com/gitlab-org/gitlab/-/issues/514532 • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1540 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-1540
06 Mar 2025 — An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certain circumstances." • https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/#saml-authentication-misconfigures-external-user-attribute • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0555 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-0555
03 Mar 2025 — A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions. • https://gitlab.com/gitlab-org/gitlab/-/issues/514004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2024-10925 – Authorization Bypass Through User-Controlled Key in GitLab
https://notcve.org/view.php?id=CVE-2024-10925
03 Mar 2025 — A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML • https://gitlab.com/gitlab-org/gitlab/-/issues/502857 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0475 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-0475
03 Mar 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/513142 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8186 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2024-8186
03 Mar 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations. • https://gitlab.com/gitlab-org/gitlab/-/issues/480751 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 1CVE-2024-3303 – Improper Neutralization of Input Used for LLM Prompting in GitLab
https://notcve.org/view.php?id=CVE-2024-3303
13 Feb 2025 — An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection. • https://gitlab.com/gitlab-org/gitlab/-/issues/454460 • CWE CATEGORY •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1198 – Insufficient Session Expiration in GitLab
https://notcve.org/view.php?id=CVE-2025-1198
13 Feb 2025 — An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. • https://gitlab.com/gitlab-org/gitlab/-/issues/511477 • CWE-613: Insufficient Session Expiration •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7102 – Execution with Unnecessary Privileges in GitLab
https://notcve.org/view.php?id=CVE-2024-7102
13 Feb 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/474414 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8266 – Execution with Unnecessary Privileges in GitLab
https://notcve.org/view.php?id=CVE-2024-8266
13 Feb 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/481531 • CWE-250: Execution with Unnecessary Privileges •