CVE-2024-4201

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

History

18 Jul 2024, 19:39

Type Values Removed Values Added
References () https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices - () https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices - Release Notes
References () https://gitlab.com/gitlab-org/gitlab/-/issues/458229 - () https://gitlab.com/gitlab-org/gitlab/-/issues/458229 - Vendor Advisory
References () https://hackerone.com/reports/2473886 - () https://hackerone.com/reports/2473886 - Third Party Advisory
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
First Time Gitlab gitlab
Gitlab

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema de cross-site scripting en GitLab que afecta a todas las versiones desde 5.1 anteriores a 16.10.7, todas las versiones desde 16.11 anteriores a 16.111.4, todas las versiones desde 17.0 anteriores a 17.0.2. Al visualizar un archivo XML en un repositorio en modo sin formato, se puede hacer que se represente como HTML si se ve en circunstancias específicas.

12 Jun 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-12 23:15

Updated : 2024-07-18 19:39


NVD link : CVE-2024-4201

Mitre link : CVE-2024-4201

CVE.ORG link : CVE-2024-4201


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')