FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  512338
Date:      2019-09-19
Time:      12:43:20Z
Committer: pi

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
9557dc72-64da-11e8-bc32-d8cb8abf62ddGitlab -- multiple vulnerabilities

GitLab reports:

Removing public deploy keys regression

Users can update their password without entering current password

Persistent XSS - Selecting users as allowed merge request approvers

Persistent XSS - Multiple locations of user selection drop downs

include directive in .gitlab-ci.yml allows SSRF requests

Permissions issue in Merge Requests Create Service

Arbitrary assignment of project fields using "Import project"


Discovery 2018-05-29
Entry 2018-05-31
gitlab
ge 10.8.0 lt 10.8.2

ge 10.7.0 lt 10.7.5

ge 1.0 lt 10.6.6

https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
8fc615cc-8a66-11e8-8c75-d8cb8abf62ddGitlab -- Remote Code Execution Vulnerability in GitLab Projects Import

Gitlab reports:

Remote Code Execution Vulnerability in GitLab Projects Import


Discovery 2018-07-17
Entry 2018-07-18
gitlab-ce
gitlab
ge 11.0.0 lt 11.0.4

ge 10.8.0 lt 10.8.6

ge 8.9.0 lt 10.7.7

CVE-2018-14364
https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/
e72a8864-e0bc-11e7-b627-d43d7e971a1bGitLab -- multiple vulnerabilities

GitLab reports:

User without access to private Wiki can see it on the project page

Matthias Burtscher reported that it was possible for a user to see a private Wiki on the project page without having the corresponding permission.

E-mail address disclosure through member search fields

Hugo Geoffroy reported via HackerOne that it was possible to find out the full e-mail address of any user by brute-forcing the member search field.

Groups API leaks private projects

An internal code review discovered that users were able to list private projects they had no access to by using the Groups API.

Cross-Site Scripting (XSS) possible by editing a comment

Sylvain Heiniger reported via HackerOne that it was possible for arbitrary JavaScript code to be executed when editing a comment.

Issue API allows any user to create a new issue even when issues are restricted or disabled

Mohammad Hasbini reported that any user could create a new issues in a project even when issues were disabled or restricted to team members in the project settings.


Discovery 2017-12-08
Entry 2017-12-14
gitlab
ge 4.2.0 le 10.0.6

ge 10.1.0 le 10.1.4

ge 10.2.0 le 10.2.3

https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/
65fab89f-2231-46db-8541-978f4e87f32agitlab -- Remote code execution on project import

GitLab developers report:

Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, including two that prevent remote code execution, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.


Discovery 2018-01-16
Entry 2018-01-17
gitlab
lt 10.1.6

https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
CVE-2017-0915
CVE-2018-3710
86291013-16e6-11e8-ae9f-d43d7e971a1bGitLab -- multiple vulnerabilities

GitLab reports:

SnippetFinder information disclosure

The GitLab SnippetFinder component contained an information disclosure which allowed access to snippets restricted to Only team members or configured as disabled. The issue is now resolved in the latest version.

LDAP API authorization issue

An LDAP API endpoint contained an authorization vulnerability which unintentionally disclosed bulk LDAP groups data. This issue is now fixed in the latest release.

Persistent XSS mermaid markdown

The mermaid markdown feature contained a persistent XSS issue that is now resolved in the latest release.

Insecure direct object reference Todo API

The Todo API was vulnerable to an insecure direct object reference issue which resulted in an information disclosure of confidential data.

GitHub import access control issue

An improper access control weakness issue was discovered in the GitHub import feature. The issue allowed an attacker to create projects under other accounts which they shouldn't have access to. The issue is now resolved in the latest version.

Protected variables information disclosure

The CI jobs protected tag feature contained a vulnerability which resulted in an information disclosure of protected variables. The issue is now resolved in the latest release.


Discovery 2018-02-07
Entry 2018-02-21
gitlab
ge 6.1.0 le 10.2.7

ge 10.3.0 le 10.3.6

ge 10.4.0 le 10.4.2

https://about.gitlab.com/2018/02/07/gitlab-security-10-4-3-plus-10-3-7-plus-10-2-8-blog/
b950a83b-789e-11e8-8545-d8cb8abf62ddGitlab -- multiple vulnerabilities

Gitlab reports:

Wiki XSS

Sanitize gem updates

XSS in url_for(params)

Content injection via username

Activity feed publicly displaying internal project names

Persistent XSS in charts


Discovery 2018-06-25
Entry 2018-06-25
gitlab
ge 11.0.0 lt 11.0.1

ge 10.8.0 lt 10.8.5

ge 4.1 lt 10.7.6

CVE-2018-12606
CVE-2018-3740
CVE-2018-12605
CVE-2018-12607
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
dc0c201c-31da-11e8-ac53-d8cb8abf62ddGitlab -- multiple vulnerabilities

GitLab reports:

SSRF in services and web hooks

There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801.

Gitlab Auth0 integration issue

There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.


Discovery 2018-03-20
Entry 2018-03-27
Modified 2018-04-07
gitlab
ge 10.5.0 lt 10.5.6

ge 10.4.0 lt 10.4.6

ge 8.3 lt 10.3.9

CVE-2018-8801
https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/
085a087b-3897-11e8-ac53-d8cb8abf62ddGitlab -- multiple vulnerabilities

GitLab reports:

Confidential issue comments in Slack, Mattermost, and webhook integrations.

Persistent XSS in milestones data-milestone-id.

Persistent XSS in filename of merge request.


Discovery 2018-04-04
Entry 2018-04-05
gitlab
ge 10.6.0 lt 10.6.3

ge 10.5.0 lt 10.5.7

ge 8.6 lt 10.4.7

https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/