GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was internally discovered that a potential denial of service involving permissions checks could impact a project home page. Date published : 2020-03-13 https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/index.html https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a denial of service (disabled functionality such as a client application crash) via an "Easy" attack. Date published : 2020-03-12 https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer overflow if an attacker-controlled SOCKS proxy server is used. This results from an integer signedness error when the proxy server responds with an acknowledgement...
bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call. Date published : 2020-03-12 https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-20586
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value. Date published : 2020-03-12 https://cgit.kde.org/messagelib.git/commit/messageviewer/src/messagepartthemes/default/defaultrenderer.cpp?id=34765909cdf8e55402a8567b48fb288839c61612
yidashi yii2cmf 2.0 has XSS via the /search q parameter. Date published : 2020-03-12 http://testh5shanglv.minshengec.com:1024/phpmyadmin/doc/yii2cmf_xss.htm https://github.com/yidashi/yii2cmf
Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware