CVE-2018-9243
https://notcve.org/view.php?id=CVE-2018-9243
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7. Las ediciones Community y Enterprise de GitLab, de la versión 8.4 hasta la 10.4, son vulnerables a Cross-Site Scripting (XSS) debido a la falta de validación de entradas en el componente merge request que desemboca en Cross-Site Scripting (XSS) (específicamente, los nombres de archivo en las pestañas de cambios de merge requests). La vulnerabilidad se ha solucionado en las versiones 10.6.3, 10.5.7 y 10.4.7. • https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released https://gitlab.com/gitlab-org/gitlab-ce/issues/42028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-8971
https://notcve.org/view.php?id=CVE-2018-8971
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. La integración de Auth0 en GitLab, en versiones anteriores a la 10.3.9, versiones 10.4.x anteriores a la 10.4.6 y versiones 10.5.x anteriores a la 10.5.6 tiene una configuración omniauth-auth0 incorrecta, lo que da lugar al firmado de usuarios no deseados. • https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released https://www.debian.org/security/2018/dsa-4206 • CWE-20: Improper Input Validation •
CVE-2017-0920
https://notcve.org/view.php?id=CVE-2017-0920
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance. Las ediciones Community y Enterprise de Gitlab, en versiones anteriores a la 10.1.6, 10.2.6 y 10.3.4, son vulnerables a un problema de omisión de autenticación en el componente Projects::MergeRequests::CreationsController. Esto resulta en que un atacante puede ver todos los nombres de proyecto y sus respectivos espacios de nombre en una instancia de GitLab. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301336 https://www.debian.org/security/2018/dsa-4206 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVE-2017-0915
https://notcve.org/view.php?id=CVE-2017-0915
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution. Gitlab Community Edition 10.2.4 es vulnerable a una falta de validación de entradas en GitlabProjectsImportService que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/298873 https://www.debian.org/security/2018/dsa-4145 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2017-0925
https://notcve.org/view.php?id=CVE-2017-0925
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password. Gitlab Enterprise Edition 10.1.0 es vulnerable a un problema de credenciales protegidas de forma insuficiente en el endpoint de API de proyecto de integración de servicio que resulta en la divulgación de información de contraseñas en texto plano. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ee/issues/3847 https://www.debian.org/security/2018/dsa-4145 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •