Severity
High
Analysis Summary
CVE-2024-6530 CVSS:7.3
GitLab Community Edition and Enterprise Edition are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-9631 CVSS:7.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by ISSUE. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
Impact
- Cross-site Scripting
- Denial of Service
Indicators of Compromise
CVE
CVE-2024-6530
CVE-2024-9631
Affected Vendors
- GitLab
Affected Products
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.4.1
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.3.4
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.2.8
Remediation
Upgrade to the latest version of GitLab Community Edition and Enterprise Editio, available from the GitLab Website.