GitLab Community Edition/Enterprise Edition up to 13.0.1 Mermaid Payload PUT Request privileges management

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 13.0.1 (Bug Tracking Software). It has been classified as critical. Affected is an unknown code of the component Mermaid Payload Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field06/21/2020 09:31 AM10/26/2020 08:11 AM10/26/2020 08:18 AM
vendorGitLabGitLabGitLab
nameCommunity Edition/Enterprise EditionCommunity Edition/Enterprise EditionCommunity Edition/Enterprise Edition
version<=13.0.1<=13.0.1<=13.0.1
componentMermaid Payload HandlerMermaid Payload HandlerMermaid Payload Handler
input_typePUT RequestPUT RequestPUT Request
risk222
cvss2_vuldb_basescore6.86.86.8
cvss2_vuldb_tempscore6.86.86.8
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss3_meta_basescore6.66.66.6
cvss3_meta_tempscore6.66.66.6
cvss3_vuldb_basescore7.17.17.1
cvss3_vuldb_tempscore7.17.17.1
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiRRR
cvss3_vuldb_sCCC
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
date1592524800 (06/19/2020)1592524800 (06/19/2020)1592524800 (06/19/2020)
urlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13262.jsonhttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13262.jsonhttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13262.json
price_0day$0-$5k$0-$5k$0-$5k
cveCVE-2020-13262CVE-2020-13262CVE-2020-13262
seealso157060 157059 157058 157055157060 157059 157058 157055157060 157059 157058 157055
locationWebsiteWebsiteWebsite
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlXXX
cvss3_vuldb_rcXXX
cvss3_nvd_basescore6.16.16.1
typeBug Tracking SoftwareBug Tracking SoftwareBug Tracking Software
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiRRR
cvss3_nvd_sCCC
cvss3_nvd_cLLL
cvss3_nvd_iLLL
cvss3_nvd_aNNN
cve_assigned159001920015900192001590019200
cve_nvd_summaryClient-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a linkClient-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a linkClient-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
cwe269 (privilege escalation)269 (privilege escalation)269 (privilege escalation)
confirm_urlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13262.jsonhttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13262.json
cve_cnaGitLab Inc.

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!