CVE-2024-6530 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting CWE-416 — Use After Free6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

1.4%

top 19.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedOct 10

Description

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5gitlab/gitlab17.1 — 17.2.9+2

▶NVDgitlab/gitlab17.1.0 — 17.2.9+2

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-m9cp-4p2h-f9p9: A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17↗2024-10-10

▶

📋Vendor Advisories

GitLab

CVE-2024-6530: A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5,↗2024-10-10

▶

Debian

CVE-2024-6530: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version...↗2024

▶

🕵️Threat Intelligence

Bleepingcomputer

GitLab warns of critical arbitrary branch pipeline execution flaw↗2024-10-10

▶