| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-22211 |
863 |
|
|
2021-05-06 |
2021-05-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. |
|
2 |
CVE-2021-22199 |
79 |
|
XSS |
2021-04-22 |
2021-04-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. |
|
3 |
CVE-2021-22196 |
79 |
|
XSS |
2021-04-02 |
2021-04-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. |
|
4 |
CVE-2021-22193 |
209 |
|
|
2021-03-24 |
2021-03-26 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project. |
|
5 |
CVE-2021-22185 |
79 |
|
XSS |
2021-03-24 |
2021-03-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki |
|
6 |
CVE-2021-22183 |
79 |
|
XSS |
2021-03-04 |
2021-03-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions. |
|
7 |
CVE-2021-22182 |
79 |
|
XSS |
2021-03-03 |
2021-03-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request. |
|
8 |
CVE-2020-26407 |
79 |
|
XSS |
2020-12-10 |
2020-12-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project |
|
9 |
CVE-2020-13345 |
79 |
|
XSS |
2020-10-06 |
2020-10-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes |
|
10 |
CVE-2020-13340 |
79 |
|
XSS |
2020-10-08 |
2020-10-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log |
|
11 |
CVE-2020-13338 |
79 |
|
XSS |
2020-10-02 |
2020-10-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references. |
|
12 |
CVE-2020-13337 |
79 |
|
XSS |
2020-10-02 |
2020-10-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name. |
|
13 |
CVE-2020-13336 |
79 |
|
XSS |
2020-09-30 |
2020-10-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature. |
|
14 |
CVE-2020-13331 |
79 |
|
XSS |
2020-09-30 |
2020-10-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges. |
|
15 |
CVE-2020-13330 |
79 |
|
XSS |
2020-09-30 |
2020-10-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature. |
|
16 |
CVE-2020-13329 |
79 |
|
XSS |
2020-09-30 |
2020-10-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature. |
|
17 |
CVE-2020-13328 |
79 |
|
XSS |
2020-09-30 |
2020-10-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API. |
|
18 |
CVE-2020-13326 |
|
|
Bypass |
2020-09-30 |
2020-10-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed. |
|
19 |
CVE-2020-13324 |
|
|
|
2020-09-30 |
2020-10-08 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API. |
|
20 |
CVE-2020-13301 |
79 |
|
XSS |
2020-09-14 |
2020-09-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page. |
|
21 |
CVE-2020-13288 |
79 |
|
XSS |
2020-08-12 |
2020-08-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page |
|
22 |
CVE-2020-13285 |
79 |
|
XSS |
2020-08-13 |
2021-05-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip. |
|
23 |
CVE-2020-13283 |
79 |
|
XSS |
2020-08-13 |
2020-08-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title. |
|
24 |
CVE-2020-12276 |
79 |
|
XSS |
2020-04-29 |
2020-05-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. |
|
25 |
CVE-2020-5197 |
863 |
|
|
2020-01-13 |
2020-01-21 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control. |
|
26 |
CVE-2019-19311 |
79 |
|
XSS |
2020-01-03 |
2020-01-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields. |
|
27 |
CVE-2019-12445 |
79 |
|
Exec Code XSS |
2020-03-10 |
2020-03-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS. |
|
28 |
CVE-2019-11548 |
79 |
|
XSS |
2019-09-09 |
2019-09-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint. |
|
29 |
CVE-2019-11546 |
362 |
|
|
2019-09-09 |
2019-09-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge. |
|
30 |
CVE-2019-10111 |
79 |
|
XSS |
2019-05-15 |
2019-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page. |
|
31 |
CVE-2019-5471 |
79 |
|
XSS |
2019-09-09 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6. |
|
32 |
CVE-2019-5467 |
79 |
|
XSS |
2019-09-09 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. |
|
33 |
CVE-2018-20496 |
79 |
|
XSS |
2019-12-30 |
2020-01-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. |
|
34 |
CVE-2018-20491 |
79 |
|
XSS |
2019-12-30 |
2020-01-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. |
|
35 |
CVE-2018-20490 |
79 |
|
XSS |
2019-12-30 |
2020-01-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. |
|
36 |
CVE-2018-19579 |
79 |
|
XSS |
2019-07-10 |
2019-07-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1. |
|
37 |
CVE-2018-19574 |
79 |
|
XSS |
2019-07-10 |
2019-07-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. |
|
38 |
CVE-2018-19573 |
79 |
|
XSS |
2019-07-10 |
2019-07-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid. |
|
39 |
CVE-2018-19570 |
79 |
|
XSS |
2019-07-10 |
2019-07-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. |
|
40 |
CVE-2018-14606 |
79 |
|
XSS |
2018-07-27 |
2018-09-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur via a Milestone name during a promotion. |
|
41 |
CVE-2018-14605 |
79 |
|
XSS |
2018-07-27 |
2018-09-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the branch name during a Web IDE file commit. |
|
42 |
CVE-2018-12607 |
79 |
|
XSS |
2018-08-03 |
2018-10-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding. |
|
43 |
CVE-2018-12606 |
79 |
|
XSS |
2018-08-03 |
2018-10-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature. |
|
44 |
CVE-2018-12605 |
79 |
|
XSS |
2018-08-03 |
2018-10-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter. |
