GitLab is prone to an HTML injection vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
| Bugtraq ID: | 109122 |
| Class: | Input Validation Error |
| CVE: | CVE-2018-19493 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 10 2019 12:00AM |
| Updated: | Jul 10 2019 12:00AM |
| Credit: | James Ritchey |
| Vulnerable: | Gitlab GitLab Enterprise Edition 11.5 Gitlab GitLab Enterprise Edition 11.4 Gitlab GitLab Enterprise Edition 11.3 Gitlab GitLab Community Edition 11.5 Gitlab GitLab Community Edition 11.4 Gitlab GitLab Community Edition 11.3 |
| Not Vulnerable: | Gitlab GitLab Enterprise Edition 11.5.1 Gitlab GitLab Enterprise Edition 11.4.8 Gitlab GitLab Enterprise Edition 11.3.11 Gitlab GitLab Community Edition 11.5.1 Gitlab GitLab Community Edition 11.4.8 Gitlab GitLab Community Edition 11.3.11 |
References:
- GitLab Home Page (GitLab.com)
- GitLab Security Release: 11.5.1, 11.4.8, and 11.3.11 ()
- Stored XSS for Environments (GitLab)
from SecurityFocus Vulnerabilities https://ift.tt/2G8xJD8
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.