{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0362", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-01-09T11:30:38.844Z", "datePublished": "2025-04-10T14:31:17.009Z", "dateUpdated": "2025-04-10T14:56:33.843Z"}, "containers": {"cna": {"title": "Improper Restriction of Rendered UI Layers or Frames in GitLab", "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://[email protected]:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "7.7", "status": "affected", "lessThan": "17.8.7", "versionType": "semver"}, {"version": "17.9", "status": "affected", "lessThan": "17.9.6", "versionType": "semver"}, {"version": "17.10", "status": "affected", "lessThan": "17.10.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames", "cweId": "CWE-1021", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/512425", "name": "GitLab Issue #512425", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/2926425", "name": "HackerOne Bug Bounty Report #2926425", "tags": ["technical-description", "exploit", "permissions-required"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.8.7, 17.9.6, 17.10.4 or above."}], "credits": [{"lang": "en", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2025-04-10T14:31:17.009Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T14:56:03.299148Z", "id": "CVE-2025-0362", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:56:33.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-10T14:56:03.299148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:56:25.899Z"}}], "cna": {"title": "Improper Restriction of Rendered UI Layers or Frames in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://[email protected]:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "7.7", "lessThan": "17.8.7", "versionType": "semver"}, {"status": "affected", "version": "17.9", "lessThan": "17.9.6", "versionType": "semver"}, {"status": "affected", "version": "17.10", "lessThan": "17.10.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.8.7, 17.9.6, 17.10.4 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/512425", "name": "GitLab Issue #512425", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/2926425", "name": "HackerOne Bug Bounty Report #2926425", "tags": ["technical-description", "exploit", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2025-04-10T14:31:17.009Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0362", "state": "PUBLISHED", "dateUpdated": "2025-04-10T14:56:33.843Z", "dateReserved": "2025-01-09T11:30:38.844Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2025-04-10T14:31:17.009Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "9117D28C-FE99-4EF0-83F3-CA5D78B154D6", "versionEndExcluding": "17.8.7", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E5662965-ECBA-4B15-9BCE-B60C742E0C52", "versionEndExcluding": "17.8.7", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "DA3826E3-A00E-4E5A-81A0-28DCB2BE10B5", "versionEndExcluding": "17.9.6", "versionStartIncluding": "17.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2BE64DE3-7E01-4B8C-81D3-A1443D2450A3", "versionEndExcluding": "17.9.6", "versionStartIncluding": "17.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "73742B4C-F768-4F0D-A34D-B551A3BC6177", "versionEndExcluding": "17.10.4", "versionStartIncluding": "17.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F95150D7-C98E-4177-AB2B-8E9B7100DF2D", "versionEndExcluding": "17.10.4", "versionStartIncluding": "17.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf."}, {"lang": "es", "value": " Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde la 7.7 hasta la 17.8.7, la 17.9 hasta la 17.9.6 y la 17.10 hasta la 17.10.4. Bajo ciertas condiciones, un atacante podr\u00eda potencialmente enga\u00f1ar a los usuarios para que autoricen involuntariamente acciones confidenciales en su nombre."}], "id": "CVE-2025-0362", "lastModified": "2025-08-07T18:34:06.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-04-10T15:16:02.337", "references": [{"source": "[email protected]", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/512425"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2926425"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "[email protected]", "type": "Primary"}]}

{}