{"id":"CVE-2019-7176","details":"An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.","modified":"2026-04-10T04:20:02.496581Z","published":"2019-09-09T21:15:12.310Z","references":[{"type":"ADVISORY","url":"https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/"},{"type":"EVIDENCE","url":"https://gitlab.com/gitlab-org/gitlab-ce/issues/51332"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"eb7f876a679dba6ae5ec739f94265f0e0f3516e8"},{"last_affected":"605f7bc3b05a8dcefb508a9ea3011bf9e9bc449a"},{"introduced":"eb7f876a679dba6ae5ec739f94265f0e0f3516e8"},{"last_affected":"605f7bc3b05a8dcefb508a9ea3011bf9e9bc449a"},{"introduced":"f33774cb120324d428dabf52c89b8a65e4d4c166"},{"last_affected":"9c32fedb6d29601a9cb698a25f8b917724b484b3"},{"introduced":"f33774cb120324d428dabf52c89b8a65e4d4c166"},{"last_affected":"9c32fedb6d29601a9cb698a25f8b917724b484b3"},{"introduced":"235b8d50ad14e7cdf4bc61c3df070f38dee97974"},{"last_affected":"6b5c78f6ca15386fd084425daaefb299412c9adc"},{"introduced":"235b8d50ad14e7cdf4bc61c3df070f38dee97974"},{"last_affected":"6b5c78f6ca15386fd084425daaefb299412c9adc"},{"introduced":"c6f72ac9a88521257991aa9a0cc6d558126f5bb9"},{"fixed":"11dfbc1f313940489243c259944a380769ad4f86"},{"introduced":"c6f72ac9a88521257991aa9a0cc6d558126f5bb9"},{"fixed":"11dfbc1f313940489243c259944a380769ad4f86"},{"introduced":"4c09765c6424a96be7c7ae7707db3bda4e9c4ab4"},{"fixed":"4747ff7de2c1df3d93a9dad0b4f24ec046e06eb2"},{"introduced":"4c09765c6424a96be7c7ae7707db3bda4e9c4ab4"},{"fixed":"4747ff7de2c1df3d93a9dad0b4f24ec046e06eb2"},{"introduced":"c02f0d47774ac40ee0d1097d00d7980ef0c7012c"},{"fixed":"769515de2384d9fbf072f8d7bbfbde93034f2187"},{"introduced":"c02f0d47774ac40ee0d1097d00d7980ef0c7012c"},{"fixed":"769515de2384d9fbf072f8d7bbfbde93034f2187"}],"database_specific":{"versions":[{"introduced":"8.9.0"},{"last_affected":"8.17.8"},{"introduced":"8.9.0"},{"last_affected":"8.17.8"},{"introduced":"9.0.0"},{"last_affected":"9.5.10"},{"introduced":"9.0.0"},{"last_affected":"9.5.10"},{"introduced":"10.0.0"},{"last_affected":"10.8.6"},{"introduced":"10.0.0"},{"last_affected":"10.8.6"},{"introduced":"11.0.0"},{"fixed":"11.5.9"},{"introduced":"11.0.0"},{"fixed":"11.5.9"},{"introduced":"11.6.0"},{"fixed":"11.6.7"},{"introduced":"11.6.0"},{"fixed":"11.6.7"},{"introduced":"11.7.0"},{"fixed":"11.7.2"},{"introduced":"11.7.0"},{"fixed":"11.7.2"}]}}],"versions":["v11.6.0-ee","v11.6.1-ee","v11.6.2-ee","v11.6.3-ee","v11.6.4-ee","v11.6.5-ee","v11.6.6-ee","v11.7.0-ee","v11.7.1-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-7176.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}