CVE-2024-8648

MEDIUM severity · CVSS 6.1 · Cross-site scripting (XSS)

6.1CVSS MEDIUM

Summary

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)3%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#stored-xss-through-javascript-url-in-analytics-dashboardsAdvisory
https://gitlab.com/gitlab-org/gitlab/-/issues/486220
https://hackerone.com/reports/2683863