A vulnerability in GitLab’s email verification process could allow attackers to hijack the password reset process. The vulnerability, tracked as CVE-2023-7028 (CVSS score of 10) and introduced in GitLab 16.1.0, can be used to send password reset messages to an unverified email address.
GitLab 16.1.0 introduced the option to have password reset emails sent to a secondary email address, preventing users from being unable to reset their passwords due to a lack of access to the primary email inbox.
However, a flaw in the email verification process may allow password reset messages to be sent to unverified email addresses, effectively allowing attackers to hijack the password reset process and potentially take over accounts.
Read More: GitLab Patches Critical Password Reset Vulnerability
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.