GitLab Patches Critical HTML Injection Flaw Leading To XSS Attacks


GitLab has released new patch versions 17.5.1, 17.4.3, and 17.3.6 for both its Community Edition (CE) and Enterprise Edition (EE).

These updates address a critical HTML injection vulnerability that could lead to cross-site scripting (XSS) attacks, alongside other security and bug fixes.

SIEM as a Service

The primary focus of this patch is a high-severity HTML injection flaw identified in GitLab’s Global Search feature.

Vulnerabilities Patched

This vulnerability, which affects all versions from 15.10 up to but not including the newly released patches, allows attackers to inject malicious HTML into the search field on a diff view.

This could enable XSS attacks, where malicious scripts are executed in users’ browsers, compromising sensitive data and user accounts.

The vulnerability has been assigned CVE-2024-8312 and carries a CVSS score of 8.7, indicating its high impact and ease of exploitation.

Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here

GitLab has acknowledged the contribution of security researcher joaxcar for identifying this flaw through their HackerOne bug bounty program.

GitLab strongly advises all users running affected versions to upgrade immediately to mitigate potential risks. The patched versions are already deployed on GitLab.com, ensuring that users of the hosted service are protected.

However, self-managed installations must be updated manually to prevent exploitation. Alongside the HTML injection patch, the release also addresses a medium-severity Denial of Service (DoS) vulnerability related to XML manifest file imports.

This flaw could allow attackers to disrupt services by importing maliciously crafted XML files. It has been assigned CVE-2024-6826 and is now resolved in the latest updates.

GitLab’s release strategy includes both scheduled bi-monthly updates and ad-hoc patches for critical vulnerabilities, reflecting their commitment to maintaining high security standards across all platforms.

Detailed information about each vulnerability will be made public on GitLab’s issue tracker 30 days after release.

This will allow users to understand the scope and impact of each fix while ensuring immediate protection through timely updates.

GitLab recommends that all users regularly update their installations to the latest supported versions. They also encourage following best practices outlined in their security documentation to further safeguard against potential threats.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here



Source link