CVE-2018-9243 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 76.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedApr 5

Latest updateMay 14

Description

GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDgitlab/gitlab8.4 — 10.4.7+2

▶debiandebian/gitlab< gitlab 10.6.3+dfsg-1 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-7p8p-3gqp-fcqx: GitLab Community and Enterprise Editions version 8↗2022-05-14

▶

OSV

CVE-2018-9243: GitLab Community and Enterprise Editions version 8↗2018-04-05

▶

📋Vendor Advisories

GitLab

CVE-2018-9243: GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request componen↗2018-04-05

▶

Debian

CVE-2018-9243: gitlab - GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable t...↗2018

▶