GitLab CE/EE Vulnerability: Stored XSS on Client Side
CVE-2024-1451
Key Information:
Badges
Summary
A vulnerability has been identified in GitLab CE/EE that allows for stored cross-site scripting (XSS) attacks. Versions from 16.9 up to, but not including, 16.9.1 are affected. The issue stems from the ability to inject a crafted payload into the user profile page, which can lead to persistent XSS on the client side. Attackers may exploit this vulnerability to execute arbitrary actions on behalf of users, potentially compromising user accounts and the wider application. Remediation measures should be taken immediately to secure the affected products.
Affected Version(s)
GitLab 16.9.0 < 16.9.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
prophaze.comCVE-2024-1451CVE-2024-1451 : GITLAB COMMUNITY EDITION/ENTERPRISE EDITION UP TO 16.9.0 USER PROFILE PAGE CROSS SITE SCRIPTING - Cloud WAF
CVE-2024-1451 : An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1.
11 months ago
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by prophaze.com
Vulnerability published
Vulnerability Reserved