Serious GitLab Vulnerability Allowed Attackers to Hijack Accounts

GitLab has patched a serious XSS vulnerability that allowed unauthenticated attackers to take over user accounts. The issue, tracked as CVE-2024-4835, was an XSS flaw in the VS (Web IDE) code editor. Attackers could exploit this vulnerability with a single click, stealing sensitive information through malicious web pages.

Although authentication was not required for the attack, some user interaction was necessary, which made exploitation more challenging.

“Today we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” the developers announced. “These versions include fixes for several bugs and vulnerabilities, and we strongly recommend updating GitLab to one of these versions immediately.”

In addition to the mentioned XSS issue, the company fixed six other vulnerabilities, including a CSRF in Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that allowed attackers to disrupt the loading of GitLab web resources (CVE-2024-2874).

Ongoing Exploitation of Other GitLab Vulnerabilities

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting another zero-click vulnerability in GitLab, CVE-2023-7028, which also allows account takeover.

A patch for this vulnerability was released back in January 2024. At that time, Shadowserver experts reported that more than 5,300 vulnerable GitLab instances were accessible online. That number has since dropped to around 2,000.