CVE-2020-13355

Summary: CVE-2020-13355 is a path traversal vulnerability in GitLab CE/EE with LFS Upload that lets an attacker overwrite specific server paths. Affected GitLab versions are 8.14 through 13.3.8, 13.4 through 13.4.4, and 13.5 through 13.5.1. The root cause is a path traversal flaw in the LFS Uploa...

CVE-2020-13355

Removed by vendor...

CVE-2020-26068

CVE-2020-26068 affects Cisco Telepresence CE Software and Cisco RoomOS Software. A flaw in the xAPI service due to insufficient access authorization allows an authenticated remote attacker to generate an access token for an affected device, potentially enabling experimental features that should n...

CVE-2020-26405

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are =12.8, =13.4, =13.5, 13.5.2...

CVE-2020-26405

CVE-2020-26405 is a path-traversal vulnerability in GitLab CE/EE package upload that allows saving packages to arbitrary locations. Affected GitLab versions include 12.8–13.3.8, 13.4–13.4.4, and 13.5–13.5.1. Root cause is in the package upload functionality. Remediation per sources: upgrade to 13...

CVE-2020-26405

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are =12.8, =13.4, =13.5, 13.5.2...

CVE-2020-13351

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...

Design/Logic Flaw

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...

CVE-2020-13351

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...

CVE-2020-13350

CVE-2020-13350 is a CSRF in GitLab CE/EE runner administration page affecting multiple versions: >=13.5.0, =13.4.0, <13.4.5;

CVE-2020-13351

CVE-2020-13351 affects GitLab CE/EE versions with insufficient permission checks in the scheduled pipeline API, allowing an attacker who can view a project to read variable names and values for that project’s scheduled pipelines. Affected versions are >=13.0 and =13.4.0 and =13.5.0 and

CVE-2020-13351

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...

CVE-2020-13358

A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: =13.4, =13.3, =13.5, 13.5.2...

CVE-2020-13352

Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: =10.2, =13.4, =13.5, 13.5.2...

Input validation

A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: =12.6, 13.3.9...

CVE-2020-13354

GitLab CE/EE vulnerability CVE-2020-13354 affects GitLab 12.6 and later up to

CVE-2020-13358

CVE-2020-13358 - GitLab Kubernetes agent API permission bypass vulnerable in GitLab CE/EE; affected are GitLab versions with ranges: >=13.3, =13.4, =13.5,

compras.sepog.fortaleza.ce.gov.br Cross Site Scripting vulnerability OBB-1495012

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

CVE-2020-26086

CVE-2020-26086 relates to Cisco TelePresence Collaboration Endpoint Software. A vulnerability in the video endpoint API (xAPI) could allow an authenticated, remote attacker to access sensitive information due to improper storage of sensitive data on the device. The issue affects the xAPI componen...

CVE-2020-27976

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option...