A vulnerability in GitLab’s email verification process could allow attackers to hijack the password reset process.
The issue, tracked as CVE-2023-7028 (CVSS score of 10) and introduced in GitLab 16.1.0, can be exploited to have password reset messages sent to an unverified email address.
GitLab 16.1.0 was released with the option to have password reset emails sent to a secondary email address, to prevent cases where users could not reset their passwords because they did not have access to the primary email inbox.
[...]
GitLab Patches Critical Password Reset Vulnerability
GitLab Patches Critical Password Reset Vulnerability
-
rbc
- President
- Posts: 291
- Joined: Mon Oct 30, 2023 1:32 am
- Location: Vicksburg, MS
- ISC2 Member Status: Yes
- Contact:
GitLab Patches Critical Password Reset Vulnerability
Robert B. Carleton + ISC2 Central Mississippi President