16 matches found
CVE-2026-44454 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a craft...
CVE-2026-44454
Coder is vulnerable to command injection in the dotfiles registry module, exploitable via crafted dotfiles_uri values and the mode=auto workflow. Root cause: unsanitized user input interpolated into shell commands, enabling arbitrary code execution inside a provisioned workspace, especially when ...
GO-2026-5897 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder...
GHSA-M3CR-VC2J-PM27 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...
PT-2026-55445
Name of the Vulnerable Software and Affected Versions coder versions prior to 2.29.7 coder versions prior to 2.30.2 Description A command injection issue exists in the dotfiles registry module where unsanitized user input is passed to shell commands. An attacker can provide a crafted dotfiles uri...
EUVD-2023-59151
Malicious code in bioql PyPI...
CVE-2023-6955
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group...
URGENT: Upgrade GitLab - Critical Workspace Creation Flaw Allows File Overwrite
GitLab once again released fixes to address a critical security flaw in its Community Edition CE and Enterprise Edition EE that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. "An...
CVE-2024-0402
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace...
UBUNTU-CVE-2024-0402
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace...
PT-2024-1286
Name of the Vulnerable Software and Affected Versions GitLab versions 16.0 through 16.5.7 GitLab versions 16.6 through 16.6.5 GitLab versions 16.7 through 16.7.3 GitLab versions 16.8 through 16.8.0 Description The issue is related to an incorrect restriction of the path name to a directory with...
UBUNTU-CVE-2023-6955
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group...
CVE-2023-6955 Missing Authorization in GitLab
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group...
Slack: Unauthorized access to GovSlack
An unauthorized user could create a workspace on GovSlack by copying and sending a fetch request payload from slack.com to slack-gov.com, which would bypass the disabled option to create a workspace for new users. This could result in unauthorized access to GovSlack...
Slack: Workspace configuration metadata disclosure
Slack allows users to create a Workspace using the Get Started page, located at https://slack.com/get-started/create. This process uses workspace metadata to direct the user-provided email address to existing Slack accounts. However, if a domain pertaining to an Enterprise customer is submitted...