CVE-2024-10383
Published: 07 February 2025
Description
An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
Security Summary
CVE-2024-10383 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the gitlab-web-ide-vscode-fork component distributed over CDN. It affects all versions of this component prior to 1.89.1-1.0.0-dev-20241118094343. The component is used by all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 15.11 prior to 17.3, and it also temporarily affected versions 17.4, 17.5, and 17.6. The issue arises when loading .ipynb files in the web IDE.
The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). Exploitation requires low privileges and is network-accessible with low attack complexity, but it demands user interaction. An attacker can trigger XSS by inducing a victim to load a malicious .ipynb file in the web IDE, achieving high impacts on confidentiality and integrity with a changed scope.
Mitigation details are available in the referenced advisories, including the GitLab issue at https://gitlab.com/gitlab-org/gitlab/-/issues/500785 and the HackerOne report at https://hackerone.com/reports/2765778. Affected instances should update the gitlab-web-ide-vscode-fork component to version 1.89.1-1.0.0-dev-20241118094343 or later, as incorporated in supported GitLab versions beyond the affected ranges.
Details
- CWE(s)