Security News > 2024 > May > High-severity GitLab flaw lets attackers take over accounts
GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting attacks.
"Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition and Enterprise Edition," GitLab said.
On Wednesday, the company also fixed six other medium-severity security flaws, including a Cross-Site Request Forgery via the Kubernetes Agent Server and a denial-of-service bug that can let attackers disrupt the loading of GitLab web resources.
Hijacked GitLab accounts can have a significant impact, including supply chain attacks, if the attackers insert malicious code in CI/CD environments, compromising an organization's repositories.
Tracked as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets.
Even though Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, less than half are still reachable at the moment.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2023-7028 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | 7.5 |