CVE-2018-9243 Information

Description

GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically filenames in changes tabs of merge requests). This is fixed in 10.6.3 10.5.7 and 10.4.7.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ https://gitlab.com/gitlab-org/gitlab-ce/issues/42028

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1