CVE-2024-4835

A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/461328	Exploit Issue Tracking
https://hackerone.com/reports/2497024	Permissions Required
https://gitlab.com/gitlab-org/gitlab/-/issues/461328	Exploit Issue Tracking
https://hackerone.com/reports/2497024	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.0.0::::community:::
	cpe:2.3:a:gitlab:gitlab:17.0.0::::enterprise:::

History

16 Dec 2024, 15:10

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/461328 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/461328 - Exploit, Issue Tracking
References	~~() https://hackerone.com/reports/2497024 -~~	() https://hackerone.com/reports/2497024 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:17.0.0::::community::: cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:17.0.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::community:::*
First Time		Gitlab Gitlab gitlab

21 Nov 2024, 09:43

Type	Values Removed	Values Added
Summary		(es) Existe una condición XSS dentro de GitLab en las versiones 15.11 anteriores a 16.10.6, 16.11 anteriores a 16.11.3 y 17.0 anteriores a 17.0.1. Al aprovechar esta condición, un atacante puede crear una página maliciosa para extraer información confidencial del usuario.
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/461328 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/461328 -
References	~~() https://hackerone.com/reports/2497024 -~~	() https://hackerone.com/reports/2497024 -

23 May 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-23 07:15

Updated : 2024-12-16 15:10

NVD link : CVE-2024-4835

Mitre link : CVE-2024-4835

CVE.ORG link : CVE-2024-4835

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.0 /10