CVE-2024-10240

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 17.3 through 17.3.7 GitLab EE versions 17.4 through 17.4.4 GitLab EE versions 17.5 through 17.5.2 GitLab CE versions 17.3 through 17.3.7 GitLab CE versions 17.4 through 17.4.4 GitLab CE versions 17.5 through 17.5.2

Description: The issue is related to the disclosure of system data to unauthorized users in a controlled area. An unauthenticated user may be able to read some information about a merge request in a private project under certain circumstances. Improper output encoding could lead to XSS if Content Security Policy is not enabled.

Recommendations: For GitLab EE versions 17.3 through 17.3.7, update to version 17.3.7 or later. For GitLab EE versions 17.4 through 17.4.4, update to version 17.4.4 or later. For GitLab EE versions 17.5 through 17.5.2, update to version 17.5.2 or later. For GitLab CE versions 17.3 through 17.3.7, update to version 17.3.7 or later. For GitLab CE versions 17.4 through 17.4.4, update to version 17.4.4 or later. For GitLab CE versions 17.5 through 17.5.2, update to version 17.5.2 or later. As a temporary workaround, consider enabling Content Security Policy to minimize the risk of XSS exploitation.