CVE-2025-0376

HIGH

GitLab 13.3-17.6.4, 17.7-17.7.3, 17.8-17.8.1 - Cross-Site Scripting via Change Page

Title source: llm
STIX 2.1

Description

An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.

References (2)

Core 2
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/512603
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2930243

Scores

CVSS v3 8.7
EPSS 0.0318
EPSS Percentile 87.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
gitlab/gitlab 13.3.0 - 17.6.5 (2 CPE variants)
Published Feb 12, 2025
Tracked Since Feb 18, 2026