CVE-2024-7047
published 2024-07-25CVE-2024-7047: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.32%
24.0th percentile
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 17.3.5-2 (sid) | gitlab 17.3.5-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 16.6 < 17.0.5 | 17.0.5 |
| gitlab | gitlab | >= 16.6.0 < 17.0.5 | 17.0.5 |
| gitlab | gitlab | >= 17.1 < 17.1.3 | 17.1.3 |
| gitlab | gitlab | >= 17.1.0 < 17.1.3 | 17.1.3 |
| gitlab | gitlab | >= 17.2 < 17.2.1 | 17.2.1 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.1HIGH
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability
vendor_redhat·2024-08-27·CVSS 8.1
CVE-2024-45321 [HIGH] perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability
perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability
The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.
A flaw was found in App::cpanminus (cpanm) through version 1.7047. The default configuration downloads Perl modules from CPAN using HTTP, which could allow an attacker to view or modify the content without the knowledge of the user. This issue could allow an attacker to execute malicious code if they have the ability to intercept and modify the content before it reaches to user.
Mitigation: A user can force cpanminus to use a HTTPS mirror using the --from command-line argument. This can be configured as a CLI option or as an environment variable.
As a command line argume
GitLab
CVE-2024-7047: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2
vendor_gitlab·2024-07-25·CVSS 7.7
CVE-2024-7047 [HIGH] CWE-79 CVE-2024-7047: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2
CVE-2024-7047: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
Debian
CVE-2024-7047: gitlab - A cross site scripting vulnerability exists in GitLab CE/EE affecting all versio...
vendor_debian·2024·CVSS 7.7
CVE-2024-7047 [HIGH] CVE-2024-7047: gitlab - A cross site scripting vulnerability exists in GitLab CE/EE affecting all versio...
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
Scope: local
sid: resolved (fixed in 17.3.5-2)
GHSA
GHSA-x8pf-46vx-rg97: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16
ghsa_unreviewed·2024-07-25
CVE-2024-7047 [HIGH] CWE-79 GHSA-x8pf-46vx-rg97: A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
No detection rules found.
No public exploits indexed.
2024-07-25
Published