π¨ CVE-2024-1495
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
π@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
π@cveNotify
GitLab
GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7
Learn more about GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2024-1736
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
π@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
π@cveNotify
GitLab
GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7
Learn more about GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2024-1963
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
π@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
π@cveNotify
GitLab
GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7
Learn more about GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2024-5469
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
π@cveNotify
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
π@cveNotify
GitLab
Missing agentk request validation could cause KAS to panic (#464143) Β· Issues Β· GitLab.org / GitLab Β· GitLab
With a change made during %17.0 (removing to send AgentMeta with the GetConfiguration...
π¨ CVE-2024-1493
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server
π@cveNotify
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server
π@cveNotify
GitLab
ReDoS in dependency linker for multiple filetypes that use the shared `link_method_call` regexp (#441806) Β· Issues Β· GitLab.orgβ¦
β Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be...
π¨ CVE-2024-3115
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.
π@cveNotify
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.
π@cveNotify
GitLab
GitLab Duo Chat can access issues and epics in SSO enforced groups without having an SSO session (#452548) Β· Issues Β· GitLab.orgβ¦
β Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be...
π¨ CVE-2024-4011
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
π@cveNotify
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
π@cveNotify
GitLab
Non project member can promote key results to objectives (#457235) Β· Issues Β· GitLab.org / GitLab Β· GitLab
β Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be...
π¨ CVE-2024-6323
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
π@cveNotify
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
π@cveNotify
GitLab
Search count can leak content of private repositories in public projects (#457912) Β· Issues Β· GitLab.org / GitLab Β· GitLab
Summary Using https://gitlab.com/search/count it is possible to leak information from private repositories in public projects.
π¨ CVE-2024-6595
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
π@cveNotify
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
π@cveNotify
vlt /vΕlt/ - blog
The massive bug at the heart of the npm ecosystem
An article detailing the massive bug at the heart of the npm ecosystem; encompassing a lack of validation by the public registry, package manifest inconsistancies & assumptions about package managers & security products
π¨ CVE-2024-2800
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
π@cveNotify
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
π@cveNotify
π¨ CVE-2024-3114
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
π@cveNotify
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
π@cveNotify
π¨ CVE-2024-5651
A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges.
π@cveNotify
A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges.
π@cveNotify
π¨ CVE-2024-6633
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software.
The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.
π@cveNotify
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software.
The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.
π@cveNotify
π¨ CVE-2024-40395
An Insecure Direct Object Reference (IDOR) in PTC ThingWorx v9.5.0 allows attackers to view sensitive information, including PII, regardless of access level.
π@cveNotify
An Insecure Direct Object Reference (IDOR) in PTC ThingWorx v9.5.0 allows attackers to view sensitive information, including PII, regardless of access level.
π@cveNotify
Pastebin
CVE-2024-40395 - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
π¨ CVE-2024-41346
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/submit.php
π@cveNotify
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/submit.php
π@cveNotify
GitHub
XSS vulnerability_3 Β· Issue #1479 Β· jpatokal/openflights
Hello, I would like to report for a XSS vulnerability in openflights. The path of the vulnerability. In file https://github.com/jpatokal/openflights/blob/master/php/submit.php $uid = $_SESSION[&quo...
π¨ CVE-2024-41347
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/settings.php
π@cveNotify
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/settings.php
π@cveNotify
GitHub
XSS vulnerability_1 Β· Issue #1477 Β· jpatokal/openflights
Hello, I would like to report for a xss vulnerability in openflights. The path of the vulnerability. In file https://github.com/jpatokal/openflights/blob/master/php/settings.php $type = $_POST[&quo...
π¨ CVE-2024-41348
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/alsearch.php
π@cveNotify
openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/alsearch.php
π@cveNotify
GitHub
multiple XSS vulnerabilities_2 Β· Issue #1478 Β· jpatokal/openflights
Hello, I would like to report for multiple XSS vulnerabilities in openflights. The path of the vulnerability. In file https://github.com/jpatokal/openflights/blob/master/php/alsearch.php A total of...
π¨ CVE-2024-41622
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the tomography_ping_address parameter in /HNAP1/ interface.
π@cveNotify
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the tomography_ping_address parameter in /HNAP1/ interface.
π@cveNotify
π₯1
π¨ CVE-2024-44340
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via keys smartqos_express_devices and smartqos_normal_devices in SetSmartQoSSettings.
π@cveNotify
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via keys smartqos_express_devices and smartqos_normal_devices in SetSmartQoSSettings.
π@cveNotify
π₯1
π¨ CVE-2024-44341
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
π@cveNotify
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
π@cveNotify
π₯1
π¨ CVE-2024-44342
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the wl(0).(0)_ssid parameter. This vulnerability is exploited via a crafted POST request.
π@cveNotify
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the wl(0).(0)_ssid parameter. This vulnerability is exploited via a crafted POST request.
π@cveNotify
π₯1