CVSS: 6.5EPSS: 0%CPEs: 54EXPL: 0CVE-2017-11438
https://notcve.org/view.php?id=CVE-2017-11438
02 Aug 2017 — GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup. GitLab Community Edition (CE) y Enterprise Edition (EE) anteriores a la 9.0.11, 9.0.11, 9.1.8 y 9.2.8 permiten que un usuario autenticado con la capacidad para crear un grupo se añada a sí mismo en cualquier proyecto que se sitúe dentro de un subgrupo. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 175EXPL: 0CVE-2017-11437
https://notcve.org/view.php?id=CVE-2017-11437
02 Aug 2017 — GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users. GitLab Enterprise Edition (EE) en sus versiones anteriores a la 8.17.7 y las versiones 9.0.11, 9.1.8, 9.2.8 y 9.3.8 permite que un usuario autenticado con la capacidad para crear un proyecto utilice la función de replicación para poder acceder a repositorios de otros usuarios. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2017-8778
https://notcve.org/view.php?id=CVE-2017-8778
04 May 2017 — GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document. GitLab anteriores a 8.14.9, 8.15.x anteriores a 8.15.6 y 8.16.x anteriores a 8.16.5 tienen XSS a través de un elemento SCRIPT en un archivo adjunto o un avatar que es un documento SVG. • https://about.gitlab.com/2017/02/15/gitlab-8-dot-16-dot-5-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 59EXPL: 1CVE-2017-0882
https://notcve.org/view.php?id=CVE-2017-0882
28 Mar 2017 — Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. Multiples versiones de GitLab exponen credenciales de usuario confidenciales al asignar un usuario a una solicitud de emisión o de combinación. Una correción fue incluida en las versiones 8.15.8, 8.16.7 y 8.17.4, que se publicaron el 20 de marzo de 2017 a las 23:59 UTC. • http://www.securityfocus.com/bid/97157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.2EPSS: 0%CPEs: 22EXPL: 2CVE-2016-9469
https://notcve.org/view.php?id=CVE-2016-9469
28 Mar 2017 — Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3... • https://about.gitlab.com/2016/12/05/cve-2016-9469 • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.5EPSS: 0%CPEs: 46EXPL: 0CVE-2016-9086
https://notcve.org/view.php?id=CVE-2016-9086
03 Nov 2016 — GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an... • http://www.securityfocus.com/bid/94136 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 3%CPEs: 45EXPL: 2CVE-2016-4340 – GitLab - 'impersonate' Feature Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-4340
16 Aug 2016 — The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors. La característica de suplantación en Gitlab 8.7.0, 8.6.0 hasta la versión 8.6.7, 8.5.0 hasta la versión 8.5.11, 8.4.0 hasta la versión 8.4.9, 8.3.0 hasta la versión 8.3.8 y 8.2.0 hasta la versión 8.2.4 permite a usuarios remotos autenticados para "iniciar sesión" como cual... • https://www.exploit-db.com/exploits/40236 • CWE-264: Permissions, Privileges, and Access Controls •