Vulnerabilities > Gitlab > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-11 | CVE-2020-26408 | Missing Authorization vulnerability in Gitlab A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile | 5.3 |
| 2020-12-11 | CVE-2020-13357 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project. | 4.3 |
| 2020-12-11 | CVE-2020-26409 | Resource Exhaustion vulnerability in Gitlab A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields. | 6.5 |
| 2020-12-10 | CVE-2020-26407 | Cross-site Scripting vulnerability in Gitlab A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project | 5.4 |
| 2020-11-17 | CVE-2020-13349 | Resource Exhaustion vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 8.12. | 4.3 |
| 2020-11-17 | CVE-2020-13348 | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 10.2. | 5.7 |
| 2020-11-17 | CVE-2020-13351 | Incorrect Default Permissions vulnerability in Gitlab Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. | 6.5 |
| 2020-11-17 | CVE-2020-13350 | Cross-Site Request Forgery (CSRF) vulnerability in Gitlab CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. | 4.3 |
| 2020-11-17 | CVE-2020-26406 | Unspecified vulnerability in Gitlab Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. | 5.3 |
| 2020-11-17 | CVE-2020-13358 | Unspecified vulnerability in Gitlab A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. | 5.5 |