GitLab Accounts without 2FA Face Risk of Takeover via New Flaw: Patch Immediately
A newly disclosed critical vulnerability plaguing GitLab accounts leaves users
at risk of complete account takeover if they haven’t enabled multi-factor
authentication (MFA).
The flaw, tracked as CVE-2023-7028
[https://nvd.nist.gov/vuln/detail/CVE-2023-7028], has the maximum severity CVSS
score of 10. It allows attackers to reset account passwords through secondary
email addresses by exploiting a change introduced in version 16.1.0.
Vulnerable Since May 2023
The vulnerable element was introduc