CVE-2023-5933

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:enterprise:*:*:*

History

31 Jan 2024, 20:31

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References () https://gitlab.com/gitlab-org/gitlab/-/issues/430236 - () https://gitlab.com/gitlab-org/gitlab/-/issues/430236 - Broken Link
References () https://hackerone.com/reports/2225710 - () https://hackerone.com/reports/2225710 - Permissions Required
References () https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ - () https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ - Vendor Advisory
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
CWE CWE-79
First Time Gitlab
Gitlab gitlab

26 Jan 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-26 01:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-5933

Mitre link : CVE-2023-5933

CVE.ORG link : CVE-2023-5933


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)