FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
f7c5b3a9-b9fb-11ed-99c6-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stored XSS via Kroki diagram

Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings

Improper validation of SSO and SCIM tokens while managing groups

Maintainer can leak Datadog API key by changing Datadog site

Clipboard based XSS in the title field of work items

Improper user right checks for personal snippets

Release Description visible in public projects despite release set as project members only

Group integration settings sensitive information exposed to project maintainers

Improve pagination limits for commits

Gitlab Open Redirect Vulnerability

Maintainer may become an Owner of a project


Discovery 2023-03-02
Entry 2023-03-03
gitlab-ce
ge 15.9.0 lt 15.9.2

ge 15.8.0 lt 15.8.4

ge 9.0.0 lt 15.7.8

CVE-2023-0050
CVE-2022-4289
CVE-2022-4331
CVE-2023-0483
CVE-2022-4007
CVE-2022-3758
CVE-2023-0223
CVE-2022-4462
CVE-2023-1072
CVE-2022-3381
CVE-2023-1084
https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/
54006796-cf7b-11ed-a5d5-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Cross-site scripting in "Maximum page reached" page

Private project guests can read new changes using a fork

Mirror repository error reveals password in Settings UI

DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint

Unauthenticated users can view Environment names from public projects limited to project members only

Copying information to the clipboard could lead to the execution of unexpected commands

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL

Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release

Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown

MR for security reports are available to everyone

API timeout when searching for group issues

Unauthorised user can add child epics linked to victim's epic in an unrelated group

GitLab search allows to leak internal notes

Ambiguous branch name exploitation in GitLab

Improper permissions checks for moving an issue

Private project branches names can be leaked through a fork


Discovery 2023-03-30
Entry 2023-03-31
gitlab-ce
ge 15.10.0 lt 15.10.1

ge 15.9.0 lt 15.9.4

ge 8.1 lt 15.8.5

CVE-2022-3513
CVE-2023-0485
CVE-2023-1098
CVE-2023-1733
CVE-2023-0319
CVE-2023-1708
CVE-2023-0838
CVE-2023-0523
CVE-2023-0155
CVE-2023-1167
CVE-2023-1417
CVE-2023-1710
CVE-2023-0450
CVE-2023-1071
CVE-2022-3375
https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
ee890be3-a1ec-11ed-a81d-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package


Discovery 2023-01-31
Entry 2023-02-01
gitlab-ce
ge 15.8.0 lt 15.8.1

ge 15.7.0 lt 15.7.6

ge 12.4.0 lt 15.6.7

CVE-2022-3411
CVE-2022-4138
CVE-2022-3759
CVE-2023-0518
https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/