Vulnerabilities > Gitlab > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-05 | CVE-2021-39891 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. | 4.9 |
| 2021-10-05 | CVE-2021-39866 | Unspecified vulnerability in Gitlab A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. | 5.4 |
| 2021-10-05 | CVE-2021-39869 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. | 6.5 |
| 2021-10-05 | CVE-2021-39872 | Improper Authentication vulnerability in Gitlab In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. | 6.5 |
| 2021-10-05 | CVE-2021-39875 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | 5.3 |
| 2021-10-05 | CVE-2021-39878 | Cross-site Scripting vulnerability in Gitlab A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. | 5.4 |
| 2021-10-05 | CVE-2021-39882 | Cleartext Transmission of Sensitive Information vulnerability in Gitlab In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | 5.3 |
| 2021-10-05 | CVE-2021-39884 | Unspecified vulnerability in Gitlab In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | 4.3 |
| 2021-10-05 | CVE-2021-39888 | Unspecified vulnerability in Gitlab In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. | 4.3 |
| 2021-10-05 | CVE-2021-39894 | Server-Side Request Forgery (SSRF) vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. | 5.4 |