An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-03-10
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.
CVSS Score
9.8
EPSS Score
0.002
Published
2020-03-06
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
CVSS Score
4.3
EPSS Score
0.007
Published
2020-02-14
GitLab through 12.7.2 allows XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-02-05
GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-02-05
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-01-28
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-01-28
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-01-28
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-01-28
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
CVSS Score
4.3
EPSS Score
0.005
Published
2020-01-28