70 matches found
PrusaSlicer 2.6.1 Arbitrary Code Execution
Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export Date: 16/01/2024 Exploit Author: Kamil Breński Vendor Homepage: https://www.prusa3d.com Software Link: https://github.com/prusa3d/PrusaSlicer Version: PrusaSlicer up to and including version 2.6.1 Tested on: Windows and...
Improper Access Control
Gitlab is vulnerable to Improper Access Control. The vulnerability is caused due to a missing permission validation for a user while accessing git lab project dependencies. A user can access composer packages on public projects that have package registry disabled in the project settings...
CVE-2023-3964 Incorrect Authorization in GitLab
An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disable...
Information Disclosure
gitlab is vulnerable to Information Disclosure. The vulnerability exists because the Google IAP details in Prometheus integration are not properly hidden, which leads to the leak of project settings, instance and group details to other users...
Cross-site Scripting (XSS)
gitlab is vulnerable to Cross-site Scripting XSS. The vulnerability exists in the project settings page, allowing an attacker to inject and execute malicious javascript...
Granting the 'Administer Projects' permission to a 'Custom Field' within a permission scheme allows all users to see the Project Settings
h3. Issue Summary This is reproducible on Data Center: yes Granting the Administer Projects permission to a User custom field value results in users having access to the Project Settings area even when the field is not populated. h3. Steps to Reproduce Create a new project with sample data Create...
ProjectID is disclosed and can be used for IDOR attack
I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack. 1 create two projects: project1 and project2, and their admin is...
Design/Logic Flaw
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...
CVE-2023-0223
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...
CVE-2022-4289
An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users...
PT-2023-14158 · Gitlab · Gitlab
Name of the Vulnerable Software and Affected Versions: GitLab versions 15.3 through 15.7.7 GitLab versions 15.8.0 through 15.8.3 GitLab versions 15.9.0 through 15.9.1 Description: An issue has been discovered in GitLab where Google IAP details in Prometheus integration were not hidden and could b...
GitLab 安全漏洞
GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in GitLab that stems from unhidden Google IAP...
GitLab 14.4 < 14.10.5 / 15.0 < 15.0.4 / 15.1 < 15.1.1 (CVE-2022-2230)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an...
CVE-2022-2230
A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf...
UBUNTU-CVE-2022-2230
A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf...
PT-2022-15342 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 14.4 through 14.10.4 GitLab CE/EE versions 15.0 through 15.0.3 GitLab CE/EE versions 15.1 through 15.1.0 Description: A Stored Cross-Site Scripting issue in the project settings page allows an attacker to execute arbitra...
REST API falsely updates Project Category without necessary permissions
panel:bgColor=e7f4fa NOTE: This is for JIRA Server and JIRA Data Center . panel h3. Issue Summary A User with Project Administrator permissions is able to update the Project Category via REST API. But in the Jira UI only a Jira Administrator is allowed to update the Project Category. h3. Steps to...
Exploit for Improper Input Validation in Siemens 6Bk1602-0Aa12-0Tp0_Firmware
This is a Java project for a web application that uses the Log4j library. The project is a practice environment for testing and learning about the Log4j vulnerability CVE-2021-44228. The project includes a Maven project settings file, a Java class file, and a Log4j configuration file. The Log4j...
Authentication flaw
Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...
CVE-2021-43201
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project...