CVE-2023-7028 – GitLab Community and Enterprise Editions Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2023-7028
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde 16.1 anterior a 16.1.6, 16.2 anterior a 16.2.9, 16.3 anterior a 16.3.7, 16.4 anterior a 16.4.5, 16.5 anterior a 16.5.6, 16.6 antes de 16.6.4 y 16.7 antes de 16.7.2 en los que los correos electrónicos de restablecimiento de contraseña de cuenta de usuario podían enviarse a una dirección de correo electrónico no verificada. GitLab CE/EE versions prior to 16.7.2 suffer from a password reset vulnerability. GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover. • https://www.exploit-db.com/exploits/51889 https://github.com/yoryio/CVE-2023-7028 https://github.com/mochammadrafi/CVE-2023-7028 https://github.com/soltanali0/CVE-2023-7028 https://github.com/Vozec/CVE-2023-7028 https://github.com/RandomRobbieBF/CVE-2023-7028 https://github.com/duy-31/CVE-2023-7028 https://github.com/thanhlam-attt/CVE-2023-7028 https://github.com/googlei1996/CVE-2023-7028 https://github.com/Trackflaw/CVE-2023-7028-Docker https://github.com/Shim • CWE-284: Improper Access Control CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2023-6955 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-6955
An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. Existe una vulnerabilidad de control de acceso inadecuado en GitLab Remote Development que afecta a todas las versiones anteriores a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2. Esta condición permite a un atacante crear un workspace en un grupo asociado con un agente de otro grupo. A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. • https://gitlab.com/gitlab-org/gitlab/-/issues/432188 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •