FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
10.8.0 <= gitlab < 10.8.2
10.7.0 <= gitlab < 10.7.5
1.0 <= gitlab < 10.6.6

Details

VuXML ID 9557dc72-64da-11e8-bc32-d8cb8abf62dd
Discovery 2018-05-29
Entry 2018-05-31

GitLab reports:

Removing public deploy keys regression

Users can update their password without entering current password

Persistent XSS - Selecting users as allowed merge request approvers

Persistent XSS - Multiple locations of user selection drop downs

include directive in .gitlab-ci.yml allows SSRF requests

Permissions issue in Merge Requests Create Service

Arbitrary assignment of project fields using "Import project"

References

URL https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/