Headline
CVE-2021-39875: 2021/CVE-2021-39875.json · master · GitLab.org / cves · GitLab
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
Related news
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.