Количество 5 501
Количество 5 501
GHSA-qhmc-hgm8-7h94
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.
GHSA-qhh9-23rj-2x83
An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only
GHSA-qh9v-hc8g-m9wx
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6).
GHSA-qgwf-v74m-338m
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
GHSA-qgvm-92m2-j87g
GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.
GHSA-qgpv-xwh3-9v79
An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances.
GHSA-qg3j-4m32-rxh8
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
GHSA-qfrc-4c6q-334p
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.
GHSA-qfpg-mw2p-44hg
An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.
GHSA-qfj5-c4hr-4gr8
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
GHSA-qf2w-qprx-c232
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
GHSA-qcrv-74q6-jcj4
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
GHSA-qcj8-gp4q-v8r2
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
GHSA-qchj-3w44-j257
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.
GHSA-qch9-vmv9-f8v6
An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown
GHSA-qccj-j742-ww2r
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.
GHSA-qccf-5wwv-jq8x
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
GHSA-q9g6-jf2g-r26w
A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.
GHSA-q9g2-gp7g-r5fj
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.
GHSA-q99w-5q7g-6x5x
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-qhmc-hgm8-7h94 An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL. | CVSS3: 6.1 | 0% Низкий | больше 3 лет назад |
| GHSA-qhh9-23rj-2x83 An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only | CVSS3: 5.3 | 0% Низкий | около 3 лет назад |
| GHSA-qh9v-hc8g-m9wx An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6). | 0% Низкий | почти 4 года назад | |
| GHSA-qgwf-v74m-338m Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. | CVSS3: 6.3 | 0% Низкий | почти 4 года назад |
| GHSA-qgvm-92m2-j87g GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user. | CVSS3: 7.5 | 0% Низкий | почти 4 года назад |
| GHSA-qgpv-xwh3-9v79 An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances. | CVSS3: 6.1 | 20% Средний | почти 3 года назад |
| GHSA-qg3j-4m32-rxh8 A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. | 0% Низкий | почти 4 года назад | |
| GHSA-qfrc-4c6q-334p An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances. | CVSS3: 4.4 | 0% Низкий | около 1 года назад |
| GHSA-qfpg-mw2p-44hg An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature. | CVSS3: 6.5 | 0% Низкий | 8 месяцев назад |
| GHSA-qfj5-c4hr-4gr8 GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. | CVSS3: 5.3 | 0% Низкий | около 1 месяца назад |
| GHSA-qf2w-qprx-c232 An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | CVSS3: 4.3 | 0% Низкий | 9 месяцев назад |
| GHSA-qcrv-74q6-jcj4 User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | 0% Низкий | почти 4 года назад | |
| GHSA-qcj8-gp4q-v8r2 A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token | 0% Низкий | почти 4 года назад | |
| GHSA-qchj-3w44-j257 An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. | 0% Низкий | почти 4 года назад | |
| GHSA-qch9-vmv9-f8v6 An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown | CVSS3: 5.4 | 0% Низкий | почти 3 года назад |
| GHSA-qccj-j742-ww2r An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches. | CVSS3: 5.7 | 0% Низкий | больше 2 лет назад |
| GHSA-qccf-5wwv-jq8x An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API. | CVSS3: 5.8 | 0% Низкий | 7 месяцев назад |
| GHSA-q9g6-jf2g-r26w A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. | CVSS3: 4.3 | 0% Низкий | больше 3 лет назад |
| GHSA-q9g2-gp7g-r5fj GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized. | CVSS3: 7.5 | 0% Низкий | почти 4 года назад |
| GHSA-q99w-5q7g-6x5x A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari | CVSS3: 6.5 | 1% Низкий | почти 4 года назад |
Уязвимостей на страницу