CVE-2018-19583
https://notcve.org/view.php?id=CVE-2018-19583
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token. CE/EE, versiones 8.0 hasta 11.x anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, registraría tokens de acceso en los registros Workhorse, permitiendo a los administradores con acceso a los registros visualizar otros tokens de usuario. • http://www.securityfocus.com/bid/109166 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-19580
https://notcve.org/view.php?id=CVE-2018-19580
All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made. GitLab versiones anteriores a 11.5.1, 11.4.8 y 11.3.11, no envían un correo electrónico a la dirección de correo electrónico anterior cuando es realizado un cambio de dirección de correo electrónico. • https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/39809 • CWE-20: Improper Input Validation •
CVE-2018-19574
https://notcve.org/view.php?id=CVE-2018-19574
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. CE/EE, versiones 7.6 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a una vulnerabilidad de tipo XSS en la página de autorización OAuth. • http://www.securityfocus.com/bid/109163 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/42057 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19569
https://notcve.org/view.php?id=CVE-2018-19569
GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope. CE/EE, versiones 8.8 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a una vulnerabilidad de autorización que permite el acceso a la interfaz de usuario web como usuario mediante un Token de Acceso Personal de cualquier ámbito. • http://www.securityfocus.com/bid/109118 https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/50319 • CWE-285: Improper Authorization •
CVE-2018-19576
https://notcve.org/view.php?id=CVE-2018-19576
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. CE/EE, versiones 8.6 hasta 11.x y anteriores a 11.3.11, versiones 11.4 anteriores a 11.4.8, y versiones 11.5 anteriores a 11.5.1 de GitLab, son vulnerables a un problema de control de acceso que permite a un usuario Guest realizar cambios o eliminar sus propios comentarios sobre un problema, después de que el problema se haya hecho Confidencial. • https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released https://gitlab.com/gitlab-org/gitlab-ce/issues/51238 • CWE-284: Improper Access Control •