2484 matches found
CVE-2021-39875
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...
CVE-2021-39872
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration...
CVE-2021-39869
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project...
CVE-2021-39894
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks...
Code injection
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...
Code injection
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project...
Improper access control
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration...
Server side request forgery (ssrf)
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery SSRF attacks...
CVE-2021-39872
CVE-2021-39872 affects GitLab CE/EE (all versions since 14.1) and stems from an improper access-control flaw that allows users with expired passwords to access GitLab via git and API tokens that were acquired before expiration. The vulnerability is described as enabling access through existing to...
CVE-2021-39894
CVE-2021-39894 affects GitLab CE/EE from version 8.0 onward, with a DNS rebinding vulnerability in the Fogbugz importer that may enable attackers to trigger server-side request forgery (SSRF). The connected sources reiterate the same description and do not provide concrete exploit vectors, affect...
CVE-2021-39869
Removed by vendor...
CVE-2021-39867
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery SSRF attacks...
CVE-2021-39867
CVE-2021-39867 affects GitLab CE/EE since v8.15, due to a DNS rebinding vulnerability in the Gitea Importer that can enable Server-Side Request Forgery (SSRF). Impact is partial confidentiality/integrity and network-exposed risk; no exploitation details are provided beyond the SSRF description. R...
CVE-2021-39882
CVE-2021-39882 affects all versions of GitLab CE/EE, enabling anonymous users to access endpoints that disclose information about any GitLab user. The root cause is an information-disclosure flaw where providing a user ID allows exposure of user data via multiple endpoints. The available document...
CVE-2021-39887
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf...
CVE-2021-39887
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf...
CVE-2021-39887
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf...
Cross site scripting
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf...
CVE-2021-39887
Removed by vendor...
CVE-2021-39887
CVE-2021-39887 affects GitLab CE/EE using GitLab Flavored Markdown. The vulnerability is a stored Cross-Site Scripting flaw in the Markdown renderer for version 8.4 and above, enabling an attacker to execute arbitrary JavaScript in a victim’s browser. The public documents consistently describe th...