CVE-2023-1836: 
GitLab vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in GitLab affecting versions from 5.1 before 15.9.6, 15.10 before 15.10.5, and 15.11 before 15.11.1. The vulnerability allows XML files viewed in 'raw' mode to be rendered as HTML under specific circumstances, particularly on iOS devices (GitLab Release).

The vulnerability exists when viewing XML files in repository 'raw' mode. GitLab serves these files with Content-Type: plain/text and Content-Disposition: inline headers. On iOS browsers, the content-type header is ignored if there is a content type defined in the actual XML file, causing the browsers to render the content as HTML instead of plain text. This behavior is related to an old specification implementation in WebKit, affecting all iOS browsers (GitLab Issue).

On self-hosted GitLab instances without proper Content Security Policy (CSP), this vulnerability could lead to full cross-site scripting attacks. On gitlab.com, while JavaScript execution is blocked by CSP, the vulnerability still allows HTML injection that could be used for open redirection or phishing attacks. The vulnerability received a CVSS score of 4.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) (GitLab Release).

The vulnerability has been patched in GitLab versions 15.9.6, 15.10.5, and 15.11.1. The fix involves serving XML files with Content-Disposition: attachment header, similar to how SVG files are handled, which forces browsers to download the files instead of displaying them inline (GitLab Release).