This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gitlab First view 2019-08-29
Product Gitlab Last view 2020-10-12
Version 11.11.2 Type Application
Update *  
Edition *  
Language *  
Sofware Edition enterprise  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gitlab:gitlab

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
4.9 2020-10-12 CVE-2020-13341

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.

4.4 2020-10-08 CVE-2020-13344

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis

8.7 2020-10-08 CVE-2020-13340

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log

6.5 2020-10-08 CVE-2020-13339

An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.

9.1 2020-10-07 CVE-2020-13347

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.

6.5 2020-10-07 CVE-2020-13346

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.

2.7 2020-10-07 CVE-2020-13342

An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email

4.3 2020-10-07 CVE-2020-13335

Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.

7.5 2020-10-07 CVE-2020-13334

In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query

5.4 2020-10-06 CVE-2020-13345

An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes

8.8 2020-10-06 CVE-2020-13343

An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template

5.4 2020-10-02 CVE-2020-13338

An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.

4.8 2020-10-02 CVE-2020-13337

An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.

4.8 2020-09-30 CVE-2020-13336

An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.

5.4 2020-09-30 CVE-2020-13331

An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges.

5.4 2020-09-30 CVE-2020-13330

An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature.

6.5 2020-09-30 CVE-2020-13329

An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature.

4.8 2020-09-30 CVE-2020-13328

An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API.

4.3 2020-09-30 CVE-2020-13326

A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed.

7.1 2020-09-30 CVE-2020-13325

A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service.

6.5 2020-09-30 CVE-2020-13324

A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API.

7.7 2020-09-30 CVE-2020-13323

A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos

7.2 2020-09-30 CVE-2020-13322

A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.

8.3 2020-09-30 CVE-2020-13321

A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.

6.5 2020-09-30 CVE-2020-13320

An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.

CWE : Common Weakness Enumeration

%idName
27% (50) CWE-200 Information Exposure
17% (32) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
9% (17) CWE-732 Incorrect Permission Assignment for Critical Resource
6% (11) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
3% (7) CWE-287 Improper Authentication
3% (7) CWE-276 Incorrect Default Permissions
3% (7) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (7) CWE-20 Improper Input Validation
3% (6) CWE-639 Access Control Bypass Through User-Controlled Key
3% (6) CWE-269 Improper Privilege Management
2% (5) CWE-613 Insufficient Session Expiration
2% (5) CWE-281 Improper Preservation of Permissions
1% (3) CWE-770 Allocation of Resources Without Limits or Throttling
1% (3) CWE-522 Insufficiently Protected Credentials
1% (3) CWE-306 Missing Authentication for Critical Function
1% (2) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
1% (2) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-704 Incorrect Type Conversion or Cast
0% (1) CWE-674 Uncontrolled Recursion
0% (1) CWE-668 Exposure of Resource to Wrong Sphere
0% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
0% (1) CWE-345 Insufficient Verification of Data Authenticity
0% (1) CWE-312 Cleartext Storage of Sensitive Information