Access Control Issue Allowing Guest Users to Modify or Delete Their Own Comments on Confidential Issues

Access Control Issue Allowing Guest Users to Modify or Delete Their Own Comments on Confidential Issues

CVE-2018-19576 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:P

GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential.

Learn more about our User Device Pen Test.