Our news and updates

In GitLab CE/EE versions 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a medium severity vulnerability CVE-2024-12379 was detected. This vulnerability allows attackers to impact the availability of GitLab via unbounded symbol creation using the scopes parameter in a Personal Access Token. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12379.

In GitLab CE/EE versions 13.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a high severity vulnerability CVE-2025-0376 was detected. This vulnerability allows attackers to execute unauthorized actions via a change page through a stored Cross-Site Scripting (XSS) attack. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0376.

In GitLab CE/EE versions 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a medium severity vulnerability CVE-2025-0516 was detected. This vulnerability allows users with limited permissions to perform unauthorized actions on critical project data due to improper authorization. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0516.

In Node.js versions 21.7.3 a high severity vulnerability CVE-2025-23089 was detected. This vulnerability informs users that they are using End-of-Life (EOL) versions of Node.js, which no longer receive updates or security patches, potentially exposing systems to security risks due to unaddressed vulnerabilities or dependencies. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-23089.

In OpenShift version 4 a medium severity vulnerability CVE-2025-0750 was detected in CRI-O. This vulnerability allows an attacker with permissions to create and delete Pods to unmount arbitrary host paths due to a path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs). Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-0750.

In Prestashop versions 8.1.7 a medium severity vulnerability CVE-2025-1230 was detected. This vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw due to the lack of proper validation of user input through ‘//index.php’, affecting the ‘link’ parameter, which could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1230.

In Brizy – Page Builder plugin for WordPress versions 2.6.8 and prior a medium severity vulnerability CVE-2024-10322 was detected. This vulnerability allows authenticated attackers with Author-level access and above to exploit insufficient input sanitization and output escaping via REST API SVG file uploads, potentially resulting in stored Cross-Site Scripting (XSS) attacks that inject arbitrary web scripts, which execute whenever a user accesses the SVG file. To address this issue, users should upgrade Brizy – Page Builder plugin to version 2.6.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10322.

In Welcart e-Commerce plugin for WordPress versions 2.11.9 and prior a high severity vulnerability CVE-2025-0511 was detected. This vulnerability allows attackers to exploit insufficient input sanitization and output escaping via the ‘name’ parameter, enabling unauthenticated attackers to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. To address this issue, users should upgrade Welcart e-Commerce plugin to version 2.11.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0511.

In GitLab CE/EE all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2 a medium severity vulnerability CVE-2025-1072 was detected. This vulnerability allows attackers to cause a denial of service by importing maliciously crafted content using the Fogbugz importer. To fix this issue, users should upgrade GitLab CE/EE to versions 17.3.7, 17.4.4, or 17.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2025-1072.