CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-14603
https://notcve.org/view.php?id=CVE-2018-14603
27 Jul 2018 — An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component. Se ha descubierto un problema en las ediciones Community y Enterprise de GitLab, en versiones anteriores a la 10.8.7, versiones 11.0.x anteriores a la 11.0.5 y versiones 11.1.x anteriores a la 11.1.2. Puede ocurrir Cross-Site Request Forgery (CSRF) en la característica Test del componente System Hooks. • https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-14604
https://notcve.org/view.php?id=CVE-2018-14604
27 Jul 2018 — An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the tooltip of the job inside the CI/CD pipeline. Se ha descubierto un problema en las ediciones Community y Enterprise de GitLab, en versiones anteriores a la 10.8.7, versiones 11.0.x anteriores a la 11.0.5 y versiones 11.1.x anteriores a la 11.1.2. Puede ocurrir Cross-Site Scripting (XSS) en el tooltip del job dento del pipeline CI/CD. • https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-14602
https://notcve.org/view.php?id=CVE-2018-14602
27 Jul 2018 — An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames. Se ha descubierto un problema en las ediciones Community y Enterprise de GitLab, en versiones anteriores a la 10.8.7, versiones 11.0.x anteriores a la 11.0.5 y versiones 11.1.x anteriores a la 11.1.2. Puede ocurrir una divulgación de información porque la característica de... • https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 13%CPEs: 6EXPL: 2CVE-2018-14364
https://notcve.org/view.php?id=CVE-2018-14364
18 Jul 2018 — GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component. Las ediciones Community y Enterprise de GitLab, en versiones anteriores a la 10.7.7, versiones 10.8.x anteriores a la 10.8.6 y versiones 11.x anteriores a la 11.0.4, permiten un salto de directorio con acceso de escritura y una ejecución remota de código resultante mediante el componente ... • https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-0919
https://notcve.org/view.php?id=CVE-2017-0919
03 Jul 2018 — GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized. Las ediciones Community y Enterprise de Gitlab, en versiones anteriores a la 10.1.6, 10.2.6 y 10.3.4, son vulnerables a un problema de omisión de autorización en el componente de importación de GitLab. Esto resulta en que un atacante puede re... • https://hackerone.com/reports/301137 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2017-0921
https://notcve.org/view.php?id=CVE-2017-0921
03 Jul 2018 — GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised. Las ediciones Community y Enterprise de Gitlab, en versiones anteriores a la 10.1.6, 10.2.6 y 10.3.4, son vulnerables a un problema de cambio de contraseña sin verificar en el componente PasswordsController, lo que resulta en la toma de control de la cuenta si la sesi... • https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-10379
https://notcve.org/view.php?id=CVE-2018-10379
31 May 2018 — An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability. Se ha descubierto un problema en GitLab Community Edition (CE) y Enterprise Edition (EE), en versiones anteriores a la 10.5.8, versiones 10.6.x anteriores a la 10.6.5 y versiones 10.7.x anteriores a la 10.7.2. La característica Move Issue contenía una vulnerabilidad Cross-Site Scripting (XSS) persi... • http://www.securityfocus.com/bid/104491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2018-8801
https://notcve.org/view.php?id=CVE-2018-8801
25 Apr 2018 — GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component. Las ediciones Community y Enterprise de GitLab, desde la versión 8.3 hasta las versiones 10.x anteriores a la 10.3, son vulnerables a SSRF en el componente Services and webhooks. • https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2018-9244
https://notcve.org/view.php?id=CVE-2018-9244
05 Apr 2018 — GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7. Las ediciones Community y Enterprise de GitLab, de la versión 9.2 hasta la 10.4, son vulnerables a Cross-Site Scripting (XSS) debido a la falta de validación de entradas en el componente milestones que desemboca en Cros... • https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2018-9243
https://notcve.org/view.php?id=CVE-2018-9243
05 Apr 2018 — GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7. Las ediciones Community y Enterprise de GitLab, de la versión 8.4 hasta la 10.4, son vulnerables a Cross-Site Scripting (XSS) debido a la falta de validación de entradas en el componente merge request que desemboca en Cross-... • https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •