FreshPorts - VuXML

Gitlab reports:

An attacker can run pipeline jobs as an arbitrary user

Developer user with admin_compliance_framework permission can change group URL

Admin push rules custom role allows creation of project level deploy token

Package registry vulnerable to manifest confusion

User with admin_group_member permission can ban group members

Subdomain takeover in GitLab Pages

ge 17.1.0 lt 17.1.2

ge 17.0.0 lt 17.0.4

ge 11.8.0 lt 16.11.6

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

ge 16.9.0 lt 16.9.2

ge 16.8.0 lt 16.8.4

ge 11.3.0 lt 16.7.7

Gitlab reports:

ReDoS in branch search when using wildcards

ReDoS in markdown render pipeline

Redos on Discord integrations

Redos on Google Chat Integration

Denial of Service Attack via Pin Menu

DoS by filtering tags and branches via the API

MR approval via CSRF in SAML SSO

Banned user from groups can read issues updates via the api

Require confirmation before linking JWT identity

View confidential issues title and description of any public project via export

SSRF via Github importer

ge 16.11.0 lt 16.11.2

ge 16.10.0 lt 16.10.5

ge 10.6.0 lt 16.9.7

Gitlab reports:

1-click account takeover via XSS in the code editor in gitlab.com

A DOS vulnerability in the 'description' field of the runner

CSRF via K8s cluster-integration

Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match

Redos on wiki render API/Page

Resource exhaustion and denial of service with test_report API calls

Guest user can view dependency lists of private projects through job artifacts

Stored XSS via PDFjs

ge 17.0.0 lt 17.0.1

ge 16.11.0 lt 16.11.3

ge 11.11 lt 16.10.6

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

ge 16.9.0 lt 16.9.1

ge 16.8.0 lt 16.8.3

ge 11.3.0 lt 16.7.6

Gitlab reports:

GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider

Path Traversal leads to DoS and Restricted File Read

Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search

Personal Access Token scopes not honoured by GraphQL subscriptions

Domain based restrictions bypass using a crafted email address

ge 16.11.0 lt 16.11.1

ge 16.10.0 lt 16.10.4

ge 7.8.0 lt 16.9.6

Gitlab reports:

ReDoS in gomod dependency linker

ReDoS in CI interpolation (fix bypass)

ReDoS in Asana integration issue mapping when webhook is called

XSS and content injection when viewing raw XHTML files on iOS devices

Missing agentk request validation could cause KAS to panic

ge 17.0.0 lt 17.0.2

ge 16.11.0 lt 16.11.4

ge 5.1 lt 16.10.7

Gitlab reports:

Stored XSS injected in diff viewer

Stored XSS via autocomplete results

Redos on Integrations Chat Messages

Redos During Parse Junit Test Report

ge 16.10.0 lt 16.10.2

ge 16.9.0 lt 16.9.4

< 16.8.6

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

ge 16.10.0 lt 16.10.1

ge 16.9.0 lt 16.9.3

< 16.8.5

Gitlab reports:

XSS via the Maven Dependency Proxy

Project level analytics settings leaked in DOM

Reports can access and download job artifacts despite use of settings to prevent it

Direct Transfer - Authorised project/group exports are accessible to other users

Bypassing tag check and branch check through imports

Project Import/Export - Make project/group export files hidden to everyone except user who initiated it

ge 17.2.0 lt 17.2.1

ge 17.1.0 lt 17.1.3

ge 12.0.0 lt 17.0.5

Gitlab reports:

Run pipelines as any user

Stored XSS injected in imported project's commit notes

CSRF on GraphQL API IntrospectionQuery

Remove search results from public projects with unauthorized repos

Cross window forgery in user application OAuth flow

Project maintainers can bypass group's merge request approval policy

ReDoS via custom built markdown page

Private job artifacts can be accessed by any user

Security fixes for banzai pipeline

ReDoS in dependency linker

Denial of service using a crafted OpenAPI file

Merge request title disclosure

Access issues and epics without having an SSO session

Non project member can promote key results to objectives

ge 17.1.0 lt 17.1.1

ge 17.0.0 lt 17.0.3

ge 1.0.0 lt 16.11.5