Vulnerabilities > Gitlab > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-08-02 | CVE-2017-11437 | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users. | 4.0 |
| 2017-05-04 | CVE-2017-8778 | Cross-site Scripting vulnerability in Gitlab GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document. | 4.3 |
| 2017-03-28 | CVE-2017-0882 | Information Exposure vulnerability in Gitlab Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. | 4.0 |
| 2017-03-28 | CVE-2016-9469 | Permissions, Privileges, and Access Controls vulnerability in Gitlab Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. | 5.0 |
| 2017-01-23 | CVE-2016-4340 | Permissions, Privileges, and Access Controls vulnerability in Gitlab The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors. | 6.5 |
| 2016-11-03 | CVE-2016-9086 | Information Exposure vulnerability in Gitlab GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. | 4.0 |
| 2014-05-17 | CVE-2013-4489 | Remote Code Execution vulnerability in GitLab 'Code Search' Feature The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature. | 6.5 |
| 2014-05-13 | CVE-2014-3456 | Cross-Site Scripting vulnerability in Gitlab 6.6.0/6.6.1 Cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) 6.6.0 before 6.6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2014-05-13 | CVE-2013-4546 | Unspecified vulnerability in Gitlab and Gitlab-Shell The repository import feature in gitlab-shell before 1.7.4, as used in GitLab, allows remote authenticated users to execute arbitrary commands via the import URL. | 6.5 |
| 2014-05-13 | CVE-2013-4490 | Remote Code Execution vulnerability in GitLab 'SSH key upload' Feature The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands via shell metacharacters in the public key. | 6.5 |