SecurityWeek reports that GitLab has issued patches to address a critical severity account takeover flaw, tracked as CVE-2022-1162, which is impacting GitLab Community Edition and Enterprise Edition versions prior to 14.7.7, 14.8.5, and 14.9.2.
Users who may have been impacted by the flaw also had their passwords reset, according to GitLab, which also released a script that would enable administrators to identify potentially affected accounts. "Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users' security," GitLab said. Moreover, fixes for two high-severity cross-site scripting flaws, tracked as CVE-2022-1175 and CVE-2022-1190, have also been released.
Threat actors could exploit the first flaw, which stems from improper note user input neutralization, to facilitate note injection and XSS abuse, while the second bug, which originates from improper user input handling, could be abused through multi-word milestone reference exploitation in issue descriptions or in comments.
A $10M ransom demand to Riot Games, a DoS in BIND and why there's no version 10, an unexpected refactor at Twilio, insights in Rust from the git security audit, SQL Slammer 20 years later, the SQLMap tool