Wednesday, April 16, 2025
Home Security GitLab XSS Vulnerability Could Allow Account Takeover
Security

GitLab XSS Vulnerability Could Allow Account Takeover

by
0 comment
Latest Hacking News
You Might Be Interested In

GitLab addressed quite a few safety updates with the newest launch. These embrace a high-severity XSS vulnerability that would permit account takeover for a goal GitLab person. The builders urge all customers to improve to the newest patched variations to obtain the safety fixes.

Excessive-Severity GitLab XSS Vulnerability Patched

In keeping with a latest submit from GitLab, the builders addressed quite a few safety vulnerabilities with the newest launch. Crucial in all the replace bundle features a high-severity cross-site scripting (XSS) vulnerability.

Describing this flaw, recognized as CVE-2024-4835, GitLab acknowledged that the vulnerability existed within the VS code editor (Net IDE). Exploiting the flaw may permit an adversary to exfiltrate delicate information by creating maliciously crafted pages.

This vulnerability acquired a CVSS rating of 8.0, and it affected GitLab variations 15.11 earlier than 16.10.6, 16.11 earlier than 16.11.3, and 17.0 earlier than 17.0.1. It first caught the eye of safety researcher Matan Berson, who reported the matter to GitLab through its HackerOne bug bounty program.

Different Safety Fixes With The Newest GitLab Replace

Apart from the high-severity XSS flaw, GitLab additionally patched quite a few different safety vulnerabilities with the newest updates. These embrace the next.

  • CVE-2024-2874 (CVSS 6.5): A medium-severity DoS vulnerability affecting the description discipline of the runner. Exploiting the flaw merely required registering a runner with a crafted description, which might then disrupt loading of focused GitLab net sources.
  • CVE-2023-7045 (CVSS 5.4): A medium-severity cross-site request forgery (CSRF) vulnerability that an attacker may exploit through the Kubernetes Agent Server (KAS).
  • CVE-2024-5258 (CVSS 4.4): A medium-severity authorization vulnerability that would let an authenticated adversary bypass pipeline authorization logic through a crafted naming conference. GitLab credited its workforce member Andrew Winata for reporting this challenge.
  • CVE-2023-6502 (CVSS 4.3): A medium-severity denial of service that an adversary may set off through a maliciously crafted wiki web page.
  • CVE-2024-1947 (CVSS 4.3): One other medium severity DoS flaw affecting the test_report API calls. An attacker may set off by sending maliciously crafted API calls.
  • CVE-2024-5318 (CVSS 4.3): A medium severity vulnerability that would permit an adversary to “view dependency lists of personal tasks by way of job artifacts”.
See also  Slack AI Vulnerability Exposed Data From Private Channels

GitLab patched all these vulnerabilities with GitLab Group Version (CE) and Enterprise Version (EE) variations 17.0.1, 16.11.3, and 16.10.6, urging customers to replace their installations accordingly.

Tell us your ideas within the feedback.

Source link

You may also like

Attacks on the education sector are surging: How can cyber-defenders respond?

April Patch Tuesday From Microsoft Fixed Over 130 Vulnerabilities

Laurie Anderson: Building an ARK

This month in security with Tony Anscombe – February 2025 edition

Bernhard Schölkopf: Is AI intelligent?

Infostealer shakeup, new attack vector for mobile, and Nomani

cbn (2)

Discover the latest in tech and cyber news. Stay informed on cybersecurity threats, innovations, and industry trends with our comprehensive coverage. Dive into the ever-evolving world of technology with us.

Latest Articles

Microsoft lets Copilot Studio use a computer on its own
A dev built a test to see how AI chatbots respond to controversial topics
The world’s first personal 3D texturing UV printer paints on almost any surface

© 2024 cyberbeatnews.com – All Rights Reserved.

 
Facebook Twitter Youtube Envelope

@2022 - All Right Reserved. Designed and Developed by PenciDesign

Close