CVE-2018-17536: 
GitLab vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in GitLab Community and Enterprise Edition before versions 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. The vulnerability was identified on the merge request page when performing project imports. The issue was disclosed on October 1, 2018, and was assigned the identifier CVE-2018-17536 (GitLab Advisory).

The vulnerability is classified as a stored XSS issue that occurs due to insufficient input validation and output encoding on the merge request page specifically during project import operations. The severity of this vulnerability has been assessed as MEDIUM with a CVSS v3.1 base score of 5.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers when they view affected merge request pages. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other client-side attacks (GitLab Advisory).

GitLab has addressed this vulnerability in versions 11.1.7, 11.2.4, and 11.3.1. Users are strongly recommended to upgrade to these or later versions immediately to mitigate the risk. Note that version 11.1.7 was later found to still be vulnerable, and users should upgrade to version 11.1.8 instead (GitLab Advisory).

The vulnerability was responsibly reported by security researcher @isra17, who was acknowledged in GitLab's security advisory (GitLab Advisory).