This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gitlab First view 2019-04-17
Product Gitlab Last view 2020-10-08
Version 11.8 Type Application
Update *  
Edition *  
Language *  
Sofware Edition community  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gitlab:gitlab

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
4.4 2020-10-08 CVE-2020-13344

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis

8.7 2020-10-08 CVE-2020-13340

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log

6.5 2020-10-08 CVE-2020-13339

An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.

9.1 2020-10-07 CVE-2020-13347

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.

6.5 2020-10-07 CVE-2020-13346

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.

2.7 2020-10-07 CVE-2020-13342

An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email

4.3 2020-10-07 CVE-2020-13335

Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.

7.5 2020-10-07 CVE-2020-13334

In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query

6.5 2020-10-07 CVE-2020-13332

Improper access expiration date validation in GitLab version >=8.11.0-rc6+ allows user to have access to projects with expiration.

5.4 2020-10-06 CVE-2020-13345

An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes

8.8 2020-10-06 CVE-2020-13343

An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template

5.4 2020-10-02 CVE-2020-13338

An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.

4.8 2020-10-02 CVE-2020-13337

An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.

4.8 2020-09-30 CVE-2020-13336

An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.

5.4 2020-09-30 CVE-2020-13331

An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges.

5.4 2020-09-30 CVE-2020-13330

An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature.

6.5 2020-09-30 CVE-2020-13329

An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature.

4.8 2020-09-30 CVE-2020-13328

An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API.

4.3 2020-09-30 CVE-2020-13326

A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed.

7.1 2020-09-30 CVE-2020-13325

A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service.

6.5 2020-09-30 CVE-2020-13324

A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API.

7.7 2020-09-30 CVE-2020-13323

A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos

7.2 2020-09-30 CVE-2020-13322

A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.

8.3 2020-09-30 CVE-2020-13321

A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.

6.5 2020-09-30 CVE-2020-13320

An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
28% (64) CWE-200 Information Exposure
16% (38) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
9% (21) CWE-732 Incorrect Permission Assignment for Critical Resource
5% (13) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
4% (10) CWE-639 Access Control Bypass Through User-Controlled Key
4% (9) CWE-20 Improper Input Validation
3% (8) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (7) CWE-287 Improper Authentication
3% (7) CWE-276 Incorrect Default Permissions
3% (7) CWE-269 Improper Privilege Management
2% (6) CWE-613 Insufficient Session Expiration
2% (5) CWE-281 Improper Preservation of Permissions
1% (3) CWE-770 Allocation of Resources Without Limits or Throttling
1% (3) CWE-522 Insufficiently Protected Credentials
1% (3) CWE-306 Missing Authentication for Critical Function
1% (3) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
0% (2) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
0% (2) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-704 Incorrect Type Conversion or Cast
0% (1) CWE-674 Uncontrolled Recursion
0% (1) CWE-668 Exposure of Resource to Wrong Sphere
0% (1) CWE-532 Information Leak Through Log Files
0% (1) CWE-362 Race Condition
0% (1) CWE-352 Cross-Site Request Forgery (CSRF)