Security Vulnerabilities - CVEs Published In June 2025
Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
CVSS Score
4.8
EPSS Score
0.002
Published
2025-06-12
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET
requests to gather sensitive information. An attacker could also send HTTP POST requests to modify
the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service
attack.
CVSS Score
8.6
EPSS Score
0.006
Published
2025-06-12
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
CVSS Score
7.5
EPSS Score
0.005
Published
2025-06-12
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-06-12
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
CVSS Score
7.5
EPSS Score
0.004
Published
2025-06-12
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-06-12
An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-06-12
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
CVSS Score
7.5
EPSS Score
0.021
Published
2025-06-12
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-06-12
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-06-12