CVE-2022-3060
https://notcve.org/view.php?id=CVE-2022-3060
Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests Un control inapropiado de un identificador de recurso en el seguimiento de errores en GitLab CE/EE, afectando a todas las versiones a partir de 12.7, permite que un atacante autenticado genere contenido que podría causar que una víctima realice peticiones arbitrarias no deseadas • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3060.json https://gitlab.com/gitlab-org/gitlab/-/issues/365427 https://hackerone.com/reports/1600343 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-3066
https://notcve.org/view.php?id=CVE-2022-3066
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. Se ha detectado un problema en GitLab afectando a todas las versiones a partir de 10.0 anteriores a 15.2.5, todas las versiones a partir de 15.3 anteriores a 15.3.4, todas las versiones a partir de 15.4 anteriores a 15.4.1. Era posible que un usuario no autorizado creara problemas en un proyecto • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3066.json https://gitlab.com/gitlab-org/gitlab/-/issues/372149 https://hackerone.com/reports/1685105 •
CVE-2022-2428
https://notcve.org/view.php?id=CVE-2022-2428
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests Una etiqueta diseñada en Jupyter Notebook viewer in GitLab EE/CE que afectando a todas las versiones anteriores a 15.1.6, 15.2 a 15.2.4, y 15.3 a 15.3.2 permite a un atacante emitir peticiones HTTP arbitrarias • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2428.json https://gitlab.com/gitlab-org/gitlab/-/issues/362272 https://hackerone.com/reports/1563379 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2527
https://notcve.org/view.php?id=CVE-2022-2527
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests. Se ha detectado un problema en las líneas de tiempo de incidentes en GitLab CE/EE afectando a todas las versiones a partir de 14.9 anteriores a 15.1.6, a todas las versiones a partir de 15.2 anteriores a 15.2.4, a todas las versiones a partir de 15.3 anteriores a 15.3.2.que permitía a un atacante autenticado inyectar contenido arbitrario. Una víctima que interactuara con este contenido podría conllevar a peticiones arbitrarias • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2527.json https://gitlab.com/gitlab-org/gitlab/-/issues/368676 https://hackerone.com/reports/1647446 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2865
https://notcve.org/view.php?id=CVE-2022-2865
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. Se ha detectado un problema de tipo cross-site scripting en GitLab CE/EE afectando a todas las versiones anteriores a 15.1.6, 15.2 a 15.2.4 y 15.3 anteriores a 15.3.2. Era posible explotar una vulnerabilidad en la configuración de la función de color de las etiquetas que podía conllevar a un ataque de tipo XSS almacenado que permitía a atacantes llevar a cabo acciones arbitrarias en nombre de las víctimas en el lado del cliente • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2865.json https://gitlab.com/gitlab-org/gitlab/-/issues/370873 https://hackerone.com/reports/1665658 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •