GitLab Community Edition
by GitLab Inc.
Source repositories
CVEs (109)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17976 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions. | ||
| CVE-2018-8801 | Med | 0.42 | 6.5 | 0.01 | Apr 25, 2018 | GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component. | ||
| CVE-2017-0927 | Med | 0.42 | 6.5 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users. | ||
| CVE-2018-20501 | Med | 0.41 | 6.3 | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | ||
| CVE-2017-11438 | Med | 0.41 | 6.3 | 0.01 | Aug 2, 2017 | GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup. | ||
| CVE-2019-18451 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect. | ||
| CVE-2019-15739 | Med | 0.40 | 6.1 | 0.01 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads. | ||
| CVE-2019-15724 | Med | 0.40 | 6.1 | 0.01 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.2.1. Label descriptions are vulnerable to HTML injection. | ||
| CVE-2019-11547 | Med | 0.40 | 6.1 | 0.01 | Sep 9, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially… | ||
| CVE-2018-19493 | Med | 0.40 | 6.1 | 0.01 | Jul 10, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding. | ||
| CVE-2019-10117 | Med | 0.40 | 6.1 | 0.01 | May 16, 2019 | An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node. | ||
| CVE-2018-18642 | Med | 0.40 | 6.1 | 0.01 | Dec 4, 2018 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS. | ||
| CVE-2018-16050 | Med | 0.40 | 6.1 | 0.01 | Oct 3, 2018 | An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View. | ||
| CVE-2018-9243 | Med | 0.40 | 6.1 | 0.01 | Apr 5, 2018 | GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and… | ||
| CVE-2017-0924 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting. | ||
| CVE-2017-0923 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting. | ||
| CVE-2017-0917 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting. | ||
| CVE-2019-9172 | Med | 0.38 | 5.9 | 0.02 | Apr 17, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5). | ||
| CVE-2019-9221 | Med | 0.36 | 5.5 | 0.00 | May 29, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5). | ||
| CVE-2018-17536 | Med | 0.35 | 5.4 | 0.00 | Apr 15, 2023 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import. |
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions.
- risk 0.42cvss 6.5epss 0.01
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
- risk 0.42cvss 6.5epss 0.01
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
- risk 0.41cvss 6.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- risk 0.41cvss 6.3epss 0.01
GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.2.1. Label descriptions are vulnerable to HTML injection.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially…
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding.
- risk 0.40cvss 6.1epss 0.01
An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View.
- risk 0.40cvss 6.1epss 0.01
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and…
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting.
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting.
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.
- risk 0.38cvss 5.9epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5).
- risk 0.36cvss 5.5epss 0.00
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5).
- risk 0.35cvss 5.4epss 0.00
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import.
Page 3 of 6