Page 38 of 874 results (0.007 seconds)

CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0

An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1965.json https://gitlab.com/gitlab-org/gitlab/-/issues/406235 https://hackerone.com/reports/1923672 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2069.json https://gitlab.com/gitlab-org/gitlab/-/issues/407374 https://hackerone.com/reports/1939987 • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2182.json https://gitlab.com/gitlab-org/gitlab/-/issues/403012 •

CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0

An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released https://gitlab.com/gitlab-org/gitlab-pages/issues/232 • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 6.5EPSS: 1%CPEs: 6EXPL: 1

An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released https://gitlab.com/gitlab-org/gitaly/issues/1801 https://gitlab.com/gitlab-org/gitaly/issues/1802 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •