FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
54006796-cf7b-11ed-a5d5-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Cross-site scripting in "Maximum page reached" page

Private project guests can read new changes using a fork

Mirror repository error reveals password in Settings UI

DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint

Unauthenticated users can view Environment names from public projects limited to project members only

Copying information to the clipboard could lead to the execution of unexpected commands

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL

Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release

Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown

MR for security reports are available to everyone

API timeout when searching for group issues

Unauthorised user can add child epics linked to victim's epic in an unrelated group

GitLab search allows to leak internal notes

Ambiguous branch name exploitation in GitLab

Improper permissions checks for moving an issue

Private project branches names can be leaked through a fork


Discovery 2023-03-30
Entry 2023-03-31
gitlab-ce
ge 15.10.0 lt 15.10.1

ge 15.9.0 lt 15.9.4

ge 8.1 lt 15.8.5

CVE-2022-3513
CVE-2023-0485
CVE-2023-1098
CVE-2023-1733
CVE-2023-0319
CVE-2023-1708
CVE-2023-0838
CVE-2023-0523
CVE-2023-0155
CVE-2023-1167
CVE-2023-1417
CVE-2023-1710
CVE-2023-0450
CVE-2023-1071
CVE-2022-3375
https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
04422df1-40d8-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level


Discovery 2022-09-29
Entry 2022-09-30
gitlab-ce
ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

CVE-2022-3293
CVE-2022-3279
CVE-2022-3325
https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/
CVE-2022-3283
CVE-2022-3060
CVE-2022-2904
CVE-2022-3018
CVE-2022-3291
CVE-2022-3067
CVE-2022-2882
CVE-2022-3066
CVE-2022-3286
CVE-2022-3285
CVE-2022-3330
CVE-2022-3351
CVE-2022-3288
3cde510a-7135-11ed-a28b-bff032704f00Gitlab -- Multiple Vulnerabilities

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address


Discovery 2022-11-30
Entry 2022-12-01
gitlab-ce
ge 15.6.0 lt 15.6.1

ge 15.5.0 lt 15.5.5

ge 9.3.0 lt 15.4.6

CVE-2022-4206
CVE-2022-3820
CVE-2022-3740
CVE-2022-4205
CVE-2022-3902
CVE-2022-4054
CVE-2022-3572
CVE-2022-3482
CVE-2022-3478
CVE-2022-4201
https://about.gitlab.com/releases/2022/11/30/security-release-gitlab-15-6-1-released/
e6b994e2-2891-11ed-9be7-454b1dd82c64Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled


Discovery 2022-08-30
Entry 2022-08-30
gitlab-ce
ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

CVE-2022-2992
CVE-2022-2865
CVE-2022-2527
CVE-2022-2592
CVE-2022-2533
CVE-2022-2455
CVE-2022-2428
CVE-2022-2908
CVE-2022-2630
CVE-2022-2931
CVE-2022-2907
CVE-2022-3031
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
3a023570-91ab-11ed-8950-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser


Discovery 2023-01-09
Entry 2023-01-11
gitlab-ce
ge 15.7.0 lt 15.7.2

ge 15.6.0 lt 15.6.4

ge 6.6.0 lt 15.5.7

CVE-2022-4037
CVE-2022-3613
CVE-2022-4365
CVE-2022-4342
CVE-2022-3573
CVE-2022-4167
CVE-2022-3870
CVE-2023-0042
CVE-2022-4131
CVE-2022-3514
https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released/
f7c5b3a9-b9fb-11ed-99c6-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stored XSS via Kroki diagram

Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings

Improper validation of SSO and SCIM tokens while managing groups

Maintainer can leak Datadog API key by changing Datadog site

Clipboard based XSS in the title field of work items

Improper user right checks for personal snippets

Release Description visible in public projects despite release set as project members only

Group integration settings sensitive information exposed to project maintainers

Improve pagination limits for commits

Gitlab Open Redirect Vulnerability

Maintainer may become an Owner of a project


Discovery 2023-03-02
Entry 2023-03-03
gitlab-ce
ge 15.9.0 lt 15.9.2

ge 15.8.0 lt 15.8.4

ge 9.0.0 lt 15.7.8

CVE-2023-0050
CVE-2022-4289
CVE-2022-4331
CVE-2023-0483
CVE-2022-4007
CVE-2022-3758
CVE-2023-0223
CVE-2022-4462
CVE-2023-1072
CVE-2022-3381
CVE-2023-1084
https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/
ee890be3-a1ec-11ed-a81d-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package


Discovery 2023-01-31
Entry 2023-02-01
gitlab-ce
ge 15.8.0 lt 15.8.1

ge 15.7.0 lt 15.7.6

ge 12.4.0 lt 15.6.7

CVE-2022-3411
CVE-2022-4138
CVE-2022-3759
CVE-2023-0518
https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/
16f7ec68-5cce-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory


Discovery 2022-11-02
Entry 2022-11-05
gitlab-ce
ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

CVE-2022-3767
CVE-2022-3265
CVE-2022-3483
CVE-2022-3818
CVE-2022-3726
CVE-2022-2251
CVE-2022-3486
CVE-2022-3793
CVE-2022-3413
CVE-2022-2761
CVE-2022-3819
CVE-2022-3280
CVE-2022-3706
https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/