Published: 12/01/2024 Updated: 18/01/2024

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 prior to 16.5.6, all versions starting from 16.6 prior to 16.6.4, all versions starting from 16.7 prior to 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gitlab gitlab 16.7.0
gitlab gitlab 16.7.1
gitlab gitlab

Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers

The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources The bug with a perfect 10 severity score has been ripe for exploitation since May

GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May 2023 that allowed users to issue password resets through a secondary email address. Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unver...

CVE-2023-5356

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect