The all in one place for non-profit security aid.
The list of MOVEit hack victims continues to grow. Nickelodeon says breach contained decades old data. What nonprofits need to know about world privacy protections. Read More
The CyberWire
As if the writers’ strike weren’t enough. M&T Bank reports MOVEit-linked data breach.
As if the writers’ strike weren’t enough. M&T Bank reports MOVEit-linked data breach. Read More
The CyberWire
GitLab Security Flaw Let Attackers Inject Malicious Scripts: Patch Now
[[{“value”:”
GitLab has announced the release of updated versions for both its Community Edition (CE) and Enterprise Edition (EE), addressing critical vulnerabilities that could potentially allow attackers to inject malicious scripts and cause denial of service (DoS) attacks.
The versions released—16.10.1, 16.9.3, and 16.8.5—come as a part of GitLab’s ongoing efforts to maintain the highest security standards and protect its users from emerging cyber threats.
One of the most critical issues addressed in this update is a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6371.
Document
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Understand the importance of a zero trust strategy
Complete Network security Checklist
See why relying on a legacy VPN is no longer a viable security strategy
Get suggestions on how to present the move to a cloud-based network security solution
Explore the advantages of converged network security over legacy approaches
Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
This flaw affected all versions of GitLab CE/EE before 16.8.5, from 16.9 before 16.9.3, and 16.10 before 16.10.1. Attackers could exploit this vulnerability by injecting a crafted payload into a wiki page, leading to arbitrary actions being performed on behalf of the victims.
This high-severity issue, with a CVSS score of 8.7, underscores the potential risks to data integrity and user privacy.
The discovery of CVE-2023-6371 was credited to a user by the pseudonym “yvvdwf,” who reported the vulnerability through GitLab’s HackerOne bug bounty program.
GitLab’s prompt response to this report and subsequent patching of the vulnerability highlights the company’s commitment to security and the effectiveness of collaborative efforts in identifying and mitigating cyber threats.
Another vulnerability patched in the latest release is CVE-2024-2818, a medium-severity issue that could allow attackers to cause a denial of service (DoS) using maliciously crafted emojis.
This vulnerability affected the same version as CVE-2023-6371 and has a CVSS score of 4.3.
The flaw was reported by Quintin Crist of Trend Micro, further emphasizing the importance of community involvement in cybersecurity.
In addition to addressing these vulnerabilities, GitLab has also updated its PostgreSQL versions to 13.14 and 14.11, following the PostgreSQL project’s latest release.
This update is part of GitLab’s non-security patches, which also include various improvements and bug fixes aimed at enhancing the platform’s stability and performance.
GitLab strongly recommends that all users running affected versions upgrade to the latest version as soon as possible to mitigate the risks associated with these vulnerabilities.
The company’s dedication to security is evident in its regular release of patches and updates, as well as its comprehensive security FAQ and best practices for securing GitLab instances.
For more information on the vulnerabilities and the patches released, users are encouraged to visit GitLab’s official security release blog posts and the issue tracker, where details of each vulnerability will be made public 30 days after the release.
GitLab’s proactive approach to security, combined with the active participation of the cybersecurity community, plays a crucial role in safeguarding the platform against evolving cyber threats.
Users are urged to stay informed and take the necessary steps to ensure their installations are secure.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post GitLab Security Flaw Let Attackers Inject Malicious Scripts: Patch Now appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
FTC bans data broker from selling Americans’ location data
Today, the U.S. Federal Trade Commission (FTC) banned data broker Outlogic, formerly X-Mode Social, from selling Americans’ raw location data that could be used for tracking purposes. […] Read More
BleepingComputer