GitLab Patches HTML Injection Flaw Leads to XSS Attacks

GitLab has announced the release of critical security updates for its Community Edition (CE) and Enterprise Edition (EE).

The updates address a high-severity HTML injection vulnerability that could lead to cross-site scripting (XSS) attacks. The patched versions, 17.5.1, 17.4.3, and 17.3.6, are now available for immediate upgrade. 

The vulnerability, CVE-2024-8312, affects all GitLab CE/EE versions from 15.10 to the latest releases before these patches.

It was discovered that an attacker could inject HTML into the Global Search field on a diff view, potentially exploiting this flaw for XSS attacks.

National Cybersecurity Awareness Month Cyber Challenges – Test your Skills Now

With a CVSS score of 8.7, this issue is considered high severity due to its potential impact on confidentiality and integrity.

GitLab has emphasized the importance of upgrading self-managed installations to these patched versions without delay.

While GitLab.com users are already protected with the updated version, GitLab Dedicated customers do not need to take any action. 

In addition to the XSS vulnerability, the updates address a medium-severity denial of service (DoS) vulnerability via XML manifest file import, identified as CVE-2024-6826.

This issue affected versions from 11.2 onwards and could allow attackers to disrupt services by importing a maliciously crafted XML file. 

Researchers boxcar and a92847865 responsibly reported both vulnerabilities through GitLab’s HackerOne bug bounty program, respectively.

GitLab continues its commitment to security by releasing both scheduled and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases occur twice monthly on the second and fourth Wednesdays.

Users are encouraged to visit GitLab’s release blog and security FAQ for more information on maintaining secure installations.

The company also advises following best practices outlined in their blog post on securing GitLab instances.

For those using GitLab’s helm charts, devkit, and analytics stack, updates have been made to remove support for dynamic funnels, alongside an update to the Ingress NGINX Controller image version 1.11.2.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here