An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
Fixes

Solution

Upgrade to GitLab version 17.3, 17.4, 17.5, 17.6 or later.


Workaround

No workaround given by the vendor.

History

Thu, 14 Aug 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitlab gitlab
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.4.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.5.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.5.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:enterprise:*:*:*
Vendors & Products Gitlab gitlab

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab VSCode Fork
First Time appeared Gitlab
Gitlab gitlab-web-ide-vscode-fork
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab-web-ide-vscode-fork:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab-web-ide-vscode-fork
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2025-02-12T15:17:24.562Z

Reserved: 2024-10-25T11:02:07.652Z

Link: CVE-2024-10383

cve-icon Vulnrichment

Updated: 2025-02-07T14:35:12.551Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-07T15:15:16.703

Modified: 2025-08-14T19:24:54.723

Link: CVE-2024-10383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.