politics

GitLab Patches XSS Vulnerability Allow Account Takeover

Read Insight

May 26, 2024 — 1 min read

GitLab recently addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts. The vulnerability, tracked as CVE-2024-4835, affects multiple versions of the GitLab Community Edition (CE) and Enterprise Edition (EE).

Vulnerability Details

The XSS flaw allows an attacker to exploit a specially crafted page to exfiltrate sensitive user information, including session cookies. This could enable the attacker to steal user sessions and perform actions on their behalf, such as taking over the user's account.

Impact and Patches

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. GitLab addressed the issue with the release of versions 17.0.1, 16.11.3, and 16.10.6 for CE and EE.

In total, GitLab has fixed several other vulnerabilities, including:

1-click account takeover via XSS leveraging the VS code editor (Web IDE)
Denial of Service vulnerability in the 'description' field of the runner
CSRF via K8s cluster-integration
Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match
Redos on wiki render API/Page
Resource exhaustion and denial of service with test_report API calls
Guest user can view dependency lists of private projects through job artifacts

These flaws were reported by various researchers, including matanber, who was rewarded with a $10,270 bounty.

With these vulnerabilities patched, GitLab users are urged to update to the latest versions to safeguard their accounts and protect against potential attacks.

Regarding the fix, a GitLab spokesperson said, "We are committed to maintaining a high standard of security and privacy for our users and addressing any issues that may arise. We appreciate the responsible disclosure of these vulnerabilities by the cybersecurity community and thank them for their efforts to keep our users safe."

Stay tuned for more updates on security news and follow me on Twitter and Mastodon. Cheers!

Eric Holder to Conduct Equity Audit on Kamala Running Mates

Former Attorney General Eric Holder, who now works as senior counsel at the law firm Covington & Burling, is taking a break from conducting "diversity, equity, and inclusion" audits for major corporations to vet Kamala Harris's potential running mates. Holder was enlisted on Monday to vet

Biden's Dereliction of Duty Meets Kamala's Incompetence: A Match Made in Hell

The writing was always on the wall, but this week Biden confirmed what we knew all along - he is a weak and feckless leader. In a pathetic attempt to salvage his legacy, Biden announced that he will be stepping down as president and will run for the Senate seat

Apple TV+: Watch Apple Original Shows and Movies on Any Device

Apple TV+: Original Shows and Movies on Any Device Apple TV+ is a streaming service that offers exclusive Apple original TV shows and movies in 4K HDR quality. You can watch across all of your screens and pick up where you left off on any device. Apple TV+ costs $9.

The greatest Olympians of the 21st century

1. Michael Phelps, swimming: Record 28-time Olympic medalist, 23-time Olympic gold medalist, most gold medals at a single Olympics when he won eight at Beijing in 2008. 2. Simone Biles, gymnastics: Seven-time Olympic medalist (tied for most by American gymnast), four Olympic gold medals (2016, tied for most by female