PT-2026-46864

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/ action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses th...

Authorization Bypass

gitlab is vulnerable to Authorization Bypasses. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server...

CVE-2022-2497

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL...

Commit Stream - OSINT Tool For Finding Github Repositories By Extracting Commit Logs In Real Time From The Github Event API

commit-stream drinks commit logs from the Github event firehose exposing the author details name and email address associated with Github repositories in real time. OSINT / Recon uses for Redteamers / Bug bounty hunters: Uncover repositories which employees of a target company is commiting code...

Cisco Finesse Server-Side Request Forgery Vulnerability

Cisco Finesse is a set of call center management software from the U.S. company Cisco Cisco. The software enhances call center service quality, improves customer experience, and increases agent satisfaction. A server-side request forgery vulnerability exists in Cisco Finesse, which stems from the...

Information disclosure

The GetResource servlet in Pentaho Business Analytics BA Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration PDI Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain...