FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
6c22bb39-0a9a-11ec-a265-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference


Discovery 2021-08-31
Entry 2021-08-31
gitlab-ce
ge 14.2.0 lt 14.2.2

ge 14.1.0 lt 14.1.4

ge 0 lt 14.0.9

CVE-2021-22257
CVE-2021-22258
CVE-2021-22238
https://about.gitlab.com/releases/2021/08/31/security-release-gitlab-14-2-2-released/
1bdd4db6-2223-11ec-91be-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry


Discovery 2021-09-30
Entry 2021-09-30
gitlab-ce
ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

CVE-2021-39885
CVE-2021-39877
CVE-2021-39887
CVE-2021-39867
CVE-2021-39869
CVE-2021-39872
CVE-2021-39878
CVE-2021-39866
CVE-2021-39882
CVE-2021-39875
CVE-2021-39870
CVE-2021-39884
CVE-2021-39883
CVE-2021-22259
CVE-2021-39868
CVE-2021-39871
CVE-2021-39874
CVE-2021-39873
CVE-2021-39881
CVE-2021-39886
CVE-2021-39879
https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/
8ba8278d-db06-11eb-ba49-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

DoS using Webhook connections

CSRF on GraphQL API allows executing mutations through GET requests

Private projects information disclosure

Denial of service of user profile page

Single sign-on users not getting blocked

Some users can push to Protected Branch with Deploy keys

A deactivated user can access data through GraphQL

Reflected XSS in release edit page

Clipboard DOM-based XSS

Stored XSS on Audit Log

Forks of public projects by project members could leak codebase

Improper text rendering

HTML Injection in full name field


Discovery 2021-07-01
Entry 2021-07-02
gitlab-ce
ge 14.0.0 lt 14.0.2

ge 13.12.0 lt 13.12.6

ge 8.0.0 lt 13.11.6

https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/
66d1c277-652a-11eb-bb3f-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project


Discovery 2021-02-01
Entry 2021-02-02
gitlab-ce
ge 13.8.0 lt 13.8.2

ge 13.7.0 lt 13.7.6

ge 11.8 lt 13.6.6

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/
CVE-2021-22172
CVE-2021-22169
518a119c-a864-11eb-8ddb-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Read API scoped tokens can execute mutations

Pull mirror credentials were exposed

Denial of Service when querying repository branches API

Non-owners can set system_note_timestamp when creating / updating issues

DeployToken will impersonate a User with the same ID when using Dependency Proxy


Discovery 2021-04-28
Entry 2021-04-28
gitlab-ce
ge 13.11.0 lt 13.11.2

ge 13.10.0 lt 13.10.4

ge 11.6.0 lt 13.9.7

https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/
CVE-2021-22209
CVE-2021-22206
CVE-2021-22210
CVE-2021-22208
CVE-2021-22211
8bf856ea-7df7-11eb-9aad-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

JWT token leak via Workhorse

Stored XSS in wiki pages

Group Maintainers are able to use the Group CI/CD Variables API

Insecure storage of GitLab session keys


Discovery 2021-03-04
Entry 2021-03-05
gitlab-ce
ge 13.9.0 lt 13.9.2

ge 13.8.0 lt 13.8.5

< 13.7.8

https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/
CVE-2021-22185
CVE-2021-22186
56abf87b-96ad-11eb-a218-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

Arbitrary File Read During Project Import

Kroki Arbitrary File Read/Write

Stored Cross-Site-Scripting in merge requests

Access data of an internal project through a public project fork as an anonymous user

Incident metric images can be deleted by any user

Infinite Loop When a User Access a Merge Request

Stored XSS in scoped labels

Admin CSRF in System Hooks Execution Through API

Update OpenSSL dependency

Update PostgreSQL dependency


Discovery 2021-03-31
Entry 2021-04-06
gitlab-ce
ge 13.10.0 lt 13.10.1

ge 13.9.0 lt 13.9.5

ge 9 lt 13.8.7

https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/
fb6e53ae-9df6-11eb-ba8c-001b217b3468Gitlab -- Vulnerabilities

SO-AND-SO reports:

Remote code execution when uploading specially crafted image files

Update Rexml


Discovery 2021-04-14
Entry 2021-04-15
gitlab-ce
ge 13.10.0 lt 13.10.3

ge 13.9.0 lt 13.9.6

ge 7.12 lt 13.8.8

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
CVE-2021-28965
1020d401-6d2d-11eb-ab0b-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF


Discovery 2021-02-11
Entry 2021-02-12
gitlab-ce
ge 13.8.0 lt 13.8.4

ge 13.7.0 lt 13.7.7

ge 10.5 lt 13.6.7

https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/
5f52d646-c31f-11eb-8dcf-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stealing GitLab OAuth access tokens using XSLeaks in Safari

Denial of service through recursive triggered pipelines

Unauthenticated CI lint API may lead to information disclosure and SSRF

Server-side DoS through rendering crafted Markdown documents

Issue and merge request length limit is not being enforced

Insufficient Expired Password Validation

XSS in blob viewer of notebooks

Logging of Sensitive Information

On-call rotation information exposed when removing a member

Spoofing commit author for signed commits

Enable qsh verification for Atlassian Connect


Discovery 2021-06-01
Entry 2021-06-01
gitlab-ce
ge 13.12.0 lt 13.12.2

ge 13.11.0 lt 13.11.5

ge 7.10.0 lt 13.10.5

CVE-2021-22181
https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/
1d651770-f4f5-11eb-ba49-001b217b3468Gitlab -- Gitlab

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author


Discovery 2021-08-03
Entry 2021-08-04
gitlab-ce
ge 14.1.0 lt 14.1.2

ge 14.0.0 lt 14.0.7

ge 0 lt 13.12.9

CVE-2021-22237
CVE-2021-22236
CVE-2021-22239
https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/
50e59056-87f2-11eb-b6a2-001b217b3468Gitlab -- Multiple vulnerabilities

Gigtlab reports:

Remote code execution via unsafe user-controlled markdown rendering options


Discovery 2021-03-17
Entry 2021-03-18
gitlab-ce
ge 13.9.0 lt 13.9.4

ge 13.8.0 lt 13.8.6

ge 13.2.0 lt 13.7.9

https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/