Vulnerabilities > Gitlab
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-05 | CVE-2021-39872 | Improper Authentication vulnerability in Gitlab In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. | 6.5 |
| 2021-10-05 | CVE-2021-39875 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | 5.3 |
| 2021-10-05 | CVE-2021-39878 | Cross-site Scripting vulnerability in Gitlab A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. | 5.4 |
| 2021-10-05 | CVE-2021-39882 | Cleartext Transmission of Sensitive Information vulnerability in Gitlab In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | 5.3 |
| 2021-10-05 | CVE-2021-39884 | Unspecified vulnerability in Gitlab In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | 4.3 |
| 2021-10-05 | CVE-2021-39888 | Unspecified vulnerability in Gitlab In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. | 4.3 |
| 2021-10-05 | CVE-2021-39893 | Missing Authorization vulnerability in Gitlab A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. | 7.5 |
| 2021-10-05 | CVE-2021-39894 | Server-Side Request Forgery (SSRF) vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. | 5.4 |
| 2021-10-05 | CVE-2021-39887 | Cross-site Scripting vulnerability in Gitlab A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. | 5.4 |
| 2021-10-04 | CVE-2021-22259 | Unspecified vulnerability in Gitlab A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. | 6.5 |