CVE-2018-9243
Severity Score
6.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.
Las ediciones Community y Enterprise de GitLab, de la versión 8.4 hasta la 10.4, son vulnerables a Cross-Site Scripting (XSS) debido a la falta de validación de entradas en el componente merge request que desemboca en Cross-Site Scripting (XSS) (específicamente, los nombres de archivo en las pestañas de cambios de merge requests). La vulnerabilidad se ha solucionado en las versiones 10.6.3, 10.5.7 y 10.4.7.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-04-03 CVE Reserved
- 2018-04-05 CVE Published
- 2024-02-13 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab-ce/issues/42028 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released | 2019-02-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 8.4 < 10.4.7 Search vendor "Gitlab" for product "Gitlab" and version " >= 8.4 < 10.4.7" | community |
Affected
| ||||||
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 8.4 < 10.4.7 Search vendor "Gitlab" for product "Gitlab" and version " >= 8.4 < 10.4.7" | enterprise |
Affected
| ||||||
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 10.5.0 < 10.5.7 Search vendor "Gitlab" for product "Gitlab" and version " >= 10.5.0 < 10.5.7" | community |
Affected
| ||||||
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 10.5.0 < 10.5.7 Search vendor "Gitlab" for product "Gitlab" and version " >= 10.5.0 < 10.5.7" | enterprise |
Affected
| ||||||
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 10.6.0 < 10.6.3 Search vendor "Gitlab" for product "Gitlab" and version " >= 10.6.0 < 10.6.3" | community |
Affected
| ||||||
| Gitlab Search vendor "Gitlab" | Gitlab Search vendor "Gitlab" for product "Gitlab" | >= 10.6.0 < 10.6.3 Search vendor "Gitlab" for product "Gitlab" and version " >= 10.6.0 < 10.6.3" | enterprise |
Affected
| ||||||