Main Vulnerability Database Vulnerabilities #VU37379

Cross-site scripting in Gitlab Community Edition - CVE-2017-0923

Published: March 21, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37379

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-0923

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting.

How to mitigate CVE-2017-0923

Install update from vendor's website.

Sources

https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
https://hackerone.com/reports/293740

Cross-site scripting in Gitlab Community Edition - CVE-2017-0923

Detailed vulnerability description

How to mitigate CVE-2017-0923

Sources

Please verify you're human