CVE-2024-2279 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 33.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedApr 12

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.7 — 16.8.6+2

▶NVDgitlab/gitlab16.7.0 — 16.8.6+2

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-4g69-rp74-jj24: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16↗2024-04-12

▶

OSV

CVE-2024-2279: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16↗2024-04-12

▶

📋Vendor Advisories

GitLab

CVE-2024-2279: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all ve↗2024-04-12

▶

Debian

CVE-2024-2279: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...↗2024

▶