PT-2024-1869 · Gitlab · Gitlab Ce/Ee+1
Yvvdwfon
·
Published
2024-02-12
·
Updated
2024-03-06
·
CVE-2024-1451
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 16.9 through 16.9.0
Description
The issue is related to the lack of protection of the web page structure when handling the user profile page, allowing for a stored XSS attack on the client side. This could enable a remote attacker to perform arbitrary actions on behalf of victims by adding a crafted payload to the user profile page.
Recommendations
For GitLab CE/EE versions 16.9 through 16.9.0, update to version 16.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the user profile page until the update is applied. Avoid using the user profile page for sensitive operations until the issue is resolved.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee