CVE-2020-10091: 
GitLab vulnerability analysis and mitigation

GitLab versions 9.3 through 12.8.1 were affected by a cross-site scripting (XSS) vulnerability that was discovered when viewing particular file types. The vulnerability was reported by security researcher @mike12 and was assigned the identifier CVE-2020-10091. The issue was publicly disclosed on March 13, 2020, and was subsequently patched in GitLab version 12.8.2 (GitLab Advisory).

The vulnerability has been classified as a cross-site scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 (Medium) and a CVSS v2.0 Base Score of 4.3 (Medium). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The cross-site scripting vulnerability could allow attackers to execute malicious JavaScript code in the context of the victim's browser when viewing specific file types. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other client-side attacks (GitLab Advisory).

GitLab strongly recommends that all installations running affected versions (9.3 through 12.8.1) be upgraded to version 12.8.2 or later as soon as possible. The vulnerability has been fixed in GitLab version 12.8.2, which was released on March 4, 2020 (GitLab Advisory).