Vulnerabilities > Gitlab
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-04 | CVE-2021-39883 | Unspecified vulnerability in Gitlab Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups. | 4.3 |
| 2021-10-04 | CVE-2021-39885 | Cross-site Scripting vulnerability in Gitlab A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names | 5.4 |
| 2021-10-04 | CVE-2021-39896 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. | 3.8 |
| 2021-10-04 | CVE-2021-39899 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. | 4.2 |
| 2021-10-04 | CVE-2021-39900 | Information Exposure Through Log Files vulnerability in Gitlab Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. | 2.7 |
| 2021-09-09 | CVE-2021-22239 | Incorrect Authorization vulnerability in Gitlab An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. | 4.3 |
| 2021-08-25 | CVE-2021-22236 | Incorrect Authorization vulnerability in Gitlab 14.1.0/14.1.1 Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. | 8.8 |
| 2021-08-25 | CVE-2021-22237 | Session Fixation vulnerability in Gitlab Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. | 4.9 |
| 2021-08-25 | CVE-2021-22242 | Cross-site Scripting vulnerability in Gitlab Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown | 5.4 |
| 2021-08-25 | CVE-2021-22243 | Incorrect Authorization vulnerability in Gitlab Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. | 4.3 |