CVE-2024-8312

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 15.10 through 17.3.5 GitLab CE/EE versions 17.4 through 17.4.2 GitLab CE/EE versions 17.5 through 17.5.0

Description: An issue has been discovered in GitLab CE/EE that could allow an attacker to inject HTML into the Global Search field on a diff view, leading to cross-site scripting (XSS) attacks. This is related to the lack of protection measures for the web page structure, which could enable a remote attacker to conduct inter-site script attacks.

Recommendations: For GitLab CE/EE versions 15.10 through 17.3.5, update to version 17.3.6 or later. For GitLab CE/EE versions 17.4 through 17.4.2, update to version 17.4.3 or later. For GitLab CE/EE versions 17.5 through 17.5.0, update to version 17.5.1 or later. As a temporary workaround, consider restricting access to the Global Search field on diff views until a patch is available.