CVE-2023-2182
https://notcve.org/view.php?id=CVE-2023-2182
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2182.json https://gitlab.com/gitlab-org/gitlab/-/issues/403012 •
CVE-2023-0805
https://notcve.org/view.php?id=CVE-2023-0805
An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0805.json https://gitlab.com/gitlab-org/gitlab/-/issues/391433 https://hackerone.com/reports/1850046 •
CVE-2023-1265
https://notcve.org/view.php?id=CVE-2023-1265
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json https://gitlab.com/gitlab-org/gitlab/-/issues/394960 https://hackerone.com/reports/1888690 • CWE-384: Session Fixation •
CVE-2018-17536
https://notcve.org/view.php?id=CVE-2018-17536
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17537
https://notcve.org/view.php?id=CVE-2018-17537
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. blog-viewer has stored XSS during repository browsing, if package.json exists. . • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •