CVE-2018-9243
MEDIUMGitLab 8.4-10.4 - Stored Cross-Site Scripting in Merge Request Changes Tab
Title source: llmDescription
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/gitlab-ce/issues/42028
Vendor Advisory x_refsource_misc
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
Scores
CVSS v3
6.1
EPSS
0.0008
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
gitlab/gitlab
8.4 - 10.4.7 (2 CPE variants)
Published
Apr 05, 2018
Tracked Since
Feb 18, 2026