CVE-2024-4835

Name of the Vulnerable Software and Affected Versions GitLab versions 15.11 through 16.10.5 GitLab versions 16.11 through 16.11.2 GitLab versions 17.0 through 17.0.0

Description A cross-site scripting (XSS) condition exists within GitLab. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. This could potentially lead to a full account takeover. The issue is related to the code editor on GitLab.

Recommendations For GitLab versions 15.11 through 16.10.5, update to version 16.10.6 or later. For GitLab versions 16.11 through 16.11.2, update to version 16.11.3 or later. For GitLab versions 17.0 through 17.0.0, update to version 17.0.1 or later. As a temporary workaround, consider restricting access to the code editor until a patch is available. Avoid using the code editor in the affected API endpoints until the issue is resolved.