Account Takeover Possible: GitLab Addresses High-Severity XSS Flaw
GitLab has released updates for its current product line, addressing a vulnerability that allows unauthenticated attackers to hijack user accounts via XSS attacks.
“Today we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),“ the company announced. “These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
The primary issue, rated 8.0 on the CVSS scale and identified as CVE-2024-4835, is an XSS vulnerability in the VS (Web IDE) code editor. It enables attackers to steal confidential information using specially crafted pages. Although this vulnerability does not require authentication, user interaction is still necessary, making the attack somewhat more challenging to execute.
Alongside this critical issue, the company also addressed six other medium-severity vulnerabilities (CVSS scores ranging from 4.3 to 6.5), including a CSRF vulnerability via the Kubernetes Agent server (CVE-2023-7045) and a denial-of-service vulnerability that could disrupt the loading of GitLab web resources (CVE-2024-2874).
GitLab often becomes a target of attacks as it stores various types of sensitive data, including API keys and proprietary code. Account hijacking on the platform can have severe consequences, including supply chain attacks if attackers manage to inject malicious code into an organization’s CI/CD environment.
Earlier this month, the CISA agency warned that attackers are actively exploiting another vulnerability in GitLab, allowing account takeovers without user interaction.
Identified as CVE-2023-7028, this flaw has a maximum severity level (10.0 on CVSS) and allows unauthenticated attackers to hijack GitLab accounts via a password reset.
Although Shadowserver identified more than 5300 vulnerable GitLab instances accessible online in January, 2084 of them remain at risk. CISA added CVE-2023-7028 to its catalog of known exploited vulnerabilities on May 1, requiring U.S. federal agencies to secure their systems by May 22.
