--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Vulnerabilities in GitLab' number: '2024-051' version: '1.0' original_date: 'May 27, 2024' date: 'May 22, 2024' --- _History:_ * _27/05/2024 --- v1.0 -- Initial publication_ # Summary On May 22, GitLab has released several versions for GitLab Community Edition (CE) and Enterprise Edition (EE) containing important bug and security fixes [1]. These fixes notably address a vulnerability that would allow an attacker to take accounts over via an XSS vulnerability. It is strongly recommended upgrading affected versions to the latest version as soon as possible. # Technical Details The vulnerability **CVE-2024-4835**, with a CVSS score of 8.0, is due to an XSS weakness within GitLab. By leveraging this condition via the VS code editor (Web IDE), an attacker can craft a malicious page to exfiltrate sensitive user information. User interaction is needed to exploit this vulnerability, increasing the attacks' complexity. # Affected Products All GitLab Community Edition (CE) and Enterprise Edition (EE) versions up to 16.10.6, versions 16.11 up to 16.11.3, and 17.0 up to 17.0.1 are affected by at least one of the vulnerabilities [1]. # Recommendations It is strongly recommended upgrading affected versions to the latest version as soon as possible. # References [1]