Gitlab -- Multiple vulnerabilities

2019-01-31T00:00:00
ID 467B7CBE-257D-11E9-8573-001B217B3468
Type freebsd
Reporter FreeBSD
Modified 2019-01-31T00:00:00

Description

Gitlab reports:

Remote Command Execution via GitLab Pages Covert Redirect to Steal GitHub/Bitbucket Tokens Remote Mirror Branches Leaked by Git Transfer Refs Denial of Service with Markdown Guests Can View List of Group Merge Requests Guest Can View Merge Request Titles via System Notes Persistent XSS via KaTeX Emails Sent to Unauthorized Users Hyperlink Injection in Notification Emails Unauthorized Access to LFS Objects Trigger Token Exposure Upgrade Rails to 5.0.7.1 and 4.2.11 Contributed Project Information Visible in Private Profile Imported Project Retains Prior Visibility Setting Error disclosure on Project Import Persistent XSS in User Status Last Commit Status Leaked to Guest Users Mitigations for IDN Homograph and RTLO Attacks Access to Internal Wiki When External Wiki Enabled User Can Comment on Locked Project Issues Unauthorized Reaction Emojis by Guest Users User Retains Project Role After Removal from Private Group GitHub Token Leaked to Maintainers Unauthenticated Blind SSRF in Jira Integration Unauthorized Access to Group Membership Validate SAML Response in Group SAML SSO