86 matches found
CVE-2020-13307
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access...
CVE-2020-13307
Removed by vendor...
CVE-2020-13308
GitLab CVE-2020-13308 affects GitLab versions before 13.1.10, 13.2.8, and 13.3.4. A user without two‑factor authentication could be prohibited from accessing GitLab by being invited into a project that uses 2FA inheritance. Remediation is to upgrade to the fixed releases (13.1.10+, 13.2.8+, 13.3....
CVE-2020-13308
Removed by vendor...
CVE-2020-13304
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions...
CVE-2020-13304
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions...
CVE-2020-13297
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint...
Design/Logic Flaw
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions...
CVE-2020-13297
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint...
CVE-2020-13297
CVE-2020-13297 : GitLab versions before 13.1.10, 13.2.8, and 13.3.4 are affected. A flaw allows a malicious user to bypass the 2FA restriction for groups by sending a crafted query to the API endpoint. The vulnerability is caused by improper authorization checks in the group-level 2FA flow, enabl...
CVE-2020-13304
The CVE applies to GitLab prior to 13.1.10, 13.2.8, and 13.3.4, where a vulnerability allows a Same 2 Factor Authentication secret code to be generated, enabling an attacker to maintain access under certain conditions. The connected documents corroborate the same description across multiple sourc...
CVE-2020-13304
Removed by vendor...
Race condition
A race condition in the Twilio Authy 2-Factor Authentication application before 24.3.7 for Android allows a user to potentially approve/deny an access request prior to unlocking the application with a PIN on older Android devices effectively bypassing the PIN requirement...
FreeBSD : Gitlab -- multiple vulnerabilities (1fb13175-ed52-11ea-8b93-001b217b3468)
Gitlab reports : Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...
Gitlab -- multiple vulnerabilities
Gitlab reports: Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...
FBI, CISA Echo Warnings on ‘Vishing’ Threat
The Federal Bureau of Investigation FBI and the Cybersecurity and Infrastructure Security Agency CISA on Thursday issued a joint alert to warn about the growing threat from voice phishing or "vishing" attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity publishe...
Congrats, you got everyone remote. But did you do it securely?
The lockdown has meant entire companies of typically office based staff being forced to work from home. The change to our way of life is like nothing anyone has in living memory ever seen. However, alongside that, IT teams have had to rush to deliver solutions that were simply not designed for th...
EvilApp - Phishing Attack Using An Android App To Grab Session Cookies For Any Website (ByPass 2FA)
Man-in-the-middle phishing attack using an Android app to grab session cookies for any website, which in turn allows to bypass 2-factor authentication protection. EvilApp brings as an example the hijacking and injection of cookies for authenticated instagram sessions. Legal disclaimer: Usage of...
Authelia - The Single Sign-On Multi-Factor Portal For Web Apps
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on SSO for your applications via a web portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy to let them know whether queries should pass through...
CVE-2020-10079
GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required...