βΌ CVE-2023-44166 βΌ
π Read
via "National Vulnerability Database".
The 'age' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44167 βΌ
π Read
via "National Vulnerability Database".
The 'name' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4532 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2233 βΌ
π Read
via "National Vulnerability Database".
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-3906 βΌ
π Read
via "National Vulnerability Database".
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44464 βΌ
π Read
via "National Vulnerability Database".
pretix before 2023.7.2 allows Pillow to parse EPS files.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3922 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0989 βΌ
π Read
via "National Vulnerability Database".
An information disclosure issue in GitLab CE/EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3914 βΌ
π Read
via "National Vulnerability Database".
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3979 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge requestΓ’β¬β’s source branch.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5198 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26147 βΌ
π Read
via "National Vulnerability Database".
All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44466 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3413 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3917 βΌ
π Read
via "National Vulnerability Database".
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3920 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26148 βΌ
π Read
via "National Vulnerability Database".
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30591 βΌ
π Read
via "National Vulnerability Database".
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32477 βΌ
π Read
via "National Vulnerability Database".
Dell Common Event Enabler 8.9.8.2 for Windows and prior, contain an improper access control vulnerability. A local low-privileged malicious user may potentially exploit this vulnerability to gain elevated privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44469 βΌ
π Read
via "National Vulnerability Database".
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3115 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.π Read
via "National Vulnerability Database".