GitLab Community Edition and Enterprise Edition CVE-2018-10379 HTML Injection Vulnerability

Bugtraq ID:	104491
Class:	Input Validation Error
CVE:	CVE-2018-10379
Remote:	Yes
Local:	No
Published:	May 31 2018 12:00AM
Updated:	May 31 2018 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	Gitlab GitLab Enterprise Edition 10.7 Gitlab GitLab Enterprise Edition 10.6 Gitlab GitLab Enterprise Edition 10.5 Gitlab GitLab Community Edition 10.7 Gitlab GitLab Community Edition 10.6 Gitlab GitLab Community Edition 10.5
Not Vulnerable:	Gitlab GitLab Enterprise Edition 10.7.2 Gitlab GitLab Enterprise Edition 10.6.5 Gitlab GitLab Enterprise Edition 10.5.8 Gitlab GitLab Community Edition 10.7.2 Gitlab GitLab Community Edition 10.6.5 Gitlab GitLab Community Edition 10.5.8

GitLab Community Edition and Enterprise Edition CVE-2018-10379 HTML Injection Vulnerability

GitLab Community Edition and Enterprise Edition are prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

GitLab Community Edition and Enterprise Edition versions prior to 10.5.8, 10.6.x prior to 10.6.5, and 10.7.x prior to 10.7.2 are vulnerable.

GitLab Community Edition and Enterprise Edition CVE-2018-10379 HTML Injection Vulnerability

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.