GitLab Advisory Database

Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request.

The generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse.

The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak (for example, relaxed SPF/DKIM/DMARC handling), an attacker can spoof an allowlisted sender address and have the message treated as trusted input.

Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. The Winter CMS maintainers strongly recommend that all …

The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors.

The link.href check in makeTagSafe (safe.ts, line 68-71) uses String.includes(), which is case-sensitive: if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } Browsers treat URI schemes case-insensitively. DATA:text/css,… is the same as data:text/css,… to the browser, but 'DATA:…'.includes('data:') returns false.

useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content.

The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as False Positive and has been removed.

This affects the package unisharp/laravel-filemanager from The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j96m-mjp6-99xr. This link is maintained to preserve external references. Original Description A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in …

An issue was discovered in GoBGP before 3.35.0 (introduced in v3.11.0). pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.

Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to …