CVE-2024-8648

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#stored-xss-through-javascript-url-in-analytics-dashboards	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/486220	Broken Link
https://hackerone.com/reports/2683863	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

12 Dec 2024, 21:45

Type	Values Removed	Values Added
First Time		Gitlab Gitlab gitlab
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:::::community:::*
References	~~() https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#stored-xss-through-javascript-url-in-analytics-dashboards -~~	() https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#stored-xss-through-javascript-url-in-analytics-dashboards - Vendor Advisory
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/486220 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/486220 - Broken Link
References	~~() https://hackerone.com/reports/2683863 -~~	() https://hackerone.com/reports/2683863 - Permissions Required

15 Nov 2024, 13:58

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde la 16 hasta la 17.3.7, la 17.4 hasta la 17.4.4 y la 17.5 hasta la 17.5.2. La vulnerabilidad podría permitir que un atacante inyecte código JavaScript malicioso en los paneles de Analytics a través de una URL especialmente manipulada.

14 Nov 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-14 13:15

Updated : 2024-12-12 21:45

NVD link : CVE-2024-8648

Mitre link : CVE-2024-8648

CVE.ORG link : CVE-2024-8648

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10