1 comment

[ 0.82 ms ] story [ 9.2 ms ] thread
A number of important fixes, including one critical issue

  [critical] Remote Command Execution via Project Imports
  [high] XSS in ZenTao integration affecting self hosted instances without strict CSP
  [high] XSS in project settings page
  [high] Unallowed users can read unprotected CI variables
  [medium] IP allow-list bypass to access Container Registries
  [medium] 2FA status is disclosed to unauthenticated users
  [medium] Restrict membership by email domain bypass
  [medium] IDOR in sentry issues
  [medium] Reporters can manage issues in error tracking
  [medium] CI variables provided to runners outside of a group's restricted IP range
  [medium] Regular Expression Denial of Service via malicious web server responses
  [medium] Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint
  [low] Unauthorized read for conan repository
  [low] Open redirect vulnerability
  [low] Group labels are editable through subproject
  [low] Release titles visible for any users if group milestones are associated with any project releases