Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0167: Annual pentest finding (2021) - Autocomplete Enabled (#339146) · Issues · GitLab.org / GitLab · GitLab

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete attribute of fields related to sensitive information making it possible to be retrieved under certain conditions.

CVE
Open in Source
#xss#vulnerability#git

Location

• https://gitlab.com/users/password/new (user_email) 
• https://gitlab.com/users/sign_in (user_login) 
• https://gitlab.com/users/sign_in (user_password) 
• https://gitlab.com/users/sign_up (new_user_first_name) 
• https://gitlab.com/users/sign_up (new_user_last_name) 
• https://gitlab.com/users/sign_up (new_user_username) 
• https://gitlab.com/users/sign_up (new_user_email) 
• https://gitlab.com/users/sign_up (new_user_password) 
• https://gitlab.com/users/confirmation/new (user_email) 
• https://gitlab.com/groups/new#import-group-pane (bulk_import_gitlab_access_token)

Impact

Sensitive data such as usernames, passwords, and access tokens could be retrieved locally via the browser’s history if the local user’s system is compromised.

Description

The autocomplete function, implemented by many popular browsers, allows a user the option of storing form field values so that the browser can automatically populate the same fields of a form later. Although this feature can be a convenience for users of the application, it creates a security risk, as sensitive user data such as username, password, and access tokens were stored locally and may be recovered if an attacker is able to gain access to the workstation, or through exploitation of a cross-site scripting vulnerability. Gitlab.com did not set the autocomplete attribute to OFF on form fields containing sensitive data.

Recommendation

Forms containing sensitive information should have the autocomplete option disabled on both the form and the sensitive fields.16, 17 For example:

<form autocomplete="off"> 
… 
<input type="text" name="user_email" autocomplete="off"> 
<input type="text" name="user_login" autocomplete="off"> 
… 
</form>

Although the recent versions of most of modern browsers do not respect the autocomplete attribute for the fields of type “password”, it is still recommended that this practice should be followed as users could have changed their browsers’ policies to respect this attribute.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE