# gitlab-exploit
GitLab CVE-2023-7028

GitLab CVE-2023-7028
The vulnerability was caused by a bug in how GitLab handled email verification during password reset. An attacker could provide two email addresses during a password reset request, and the reset code would be sent to both addresses. This allowed the attacker to reset the password of any user, even if they didn't know the user's current password.
Affected Versions
All instances of GitLab CE/EE using the following versions were vulnerable:
16.1 to 16.1.5
16.2 to 16.2.8
16.3 to 16.3.6
16.4 to 16.4.4
16.5 to 16.5.5
16.6 to 16.6.3
16.7 to 16.7.1

Enable GitLab security alerts that would allow early awareness of patches.

Upgrade GitLab to a patched version.
Enable two-factor authentication (2FA) for all GitLab accounts, especially administrator accounts.
Follow secure coding practices, including proper input validation and email address verification.