An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 before 16.1.6, 16.2 before 16.2.9, 16.3 before 16.3.7, 16.4 before 16.4.5, 16.5 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gitlab gitlab |
High-severity GitLab flaw lets attackers take over accounts By Sergiu Gatlan May 23, 2024 01:43 PM 0 GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks. The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages. While they can exploit this vulnerability in attack...
CISA says GitLab account takeover bug is actively exploited in attacks By Sergiu Gatlan May 1, 2024 12:29 PM 0 CISA warned today that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets. GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by insertin...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources The bug with a perfect 10 severity score has been ripe for exploitation since May
GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May 2023 that allowed users to issue password resets through a secondary email address. Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unver...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Warning comes exactly a year after the vulnerability was introduced
The US Cybersecurity and Infrastructure Security Agency (CISA) is forcing all federal agencies to patch a critical vulnerability in GitLab's Community and Enterprise editions, confirming it is very much under "active exploit." When CISA adds a vulnerability to its Known Exploited Vulnerabilities (KEV) list, it means all federal civilian executive branch (FCEB) agencies usually have a maximum of 21 days to fix the issue to prevent harmful attacks on the government. The name is somewhat of a givea...