GitLab Patches XSS Vulnerability Allow Account Takeover

GitLab recently addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts. The vulnerability, tracked as CVE-2024-4835, affects multiple versions of the GitLab Community Edition (CE) and Enterprise Edition (EE).

Vulnerability Details

The XSS flaw allows an attacker to exploit a specially crafted page to exfiltrate sensitive user information, including session cookies. This could enable the attacker to steal user sessions and perform actions on their behalf, such as taking over the user's account.

Impact and Patches

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. GitLab addressed the issue with the release of versions 17.0.1, 16.11.3, and 16.10.6 for CE and EE.

In total, GitLab has fixed several other vulnerabilities, including:

  1. 1-click account takeover via XSS leveraging the VS code editor (Web IDE)
  2. Denial of Service vulnerability in the 'description' field of the runner
  3. CSRF via K8s cluster-integration
  4. Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match
  5. Redos on wiki render API/Page
  6. Resource exhaustion and denial of service with test_report API calls
  7. Guest user can view dependency lists of private projects through job artifacts

These flaws were reported by various researchers, including matanber, who was rewarded with a $10,270 bounty.

With these vulnerabilities patched, GitLab users are urged to update to the latest versions to safeguard their accounts and protect against potential attacks.

Regarding the fix, a GitLab spokesperson said, "We are committed to maintaining a high standard of security and privacy for our users and addressing any issues that may arise. We appreciate the responsible disclosure of these vulnerabilities by the cybersecurity community and thank them for their efforts to keep our users safe."

Stay tuned for more updates on security news and follow me on Twitter and Mastodon. Cheers!

Read more