CVE-2024-8648 MEDIUM

CVE-2024-8648: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-79 · XSS

Published November 14, 2024

Last update November 14, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

Key dates

02Disclosure timeline

November 14, 2024 CVE published

November 14, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-8648

Related vulnerabilities

04Related CVE

CVE-2024-50414 WordPress Button contact VR plugin <= 4.7.9.1 - Cross Site Scripting (XSS) vulnerability CVE-2021-24702 LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting CVE-2024-22288 WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin <= 4.4.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-1559 Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter CVE-2026-3354 Wikilookup <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Popup Width' Setting

Identifiers

CVE CVE-2024-8648

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Gitlab

Product GitLab

Affected ≥ 16 and < 17.3.7

Vendor Gitlab

Product GitLab

Affected ≥ 17.4 and < 17.4.4

Vendor Gitlab

Product GitLab

Affected ≥ 17.5 and < 17.5.2