CVE-2024-1451: 
GitLab vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in GitLab CE/EE affecting version 16.9 before 16.9.1, identified as CVE-2024-1451. The vulnerability was discovered on February 12, 2024, and publicly disclosed on February 21, 2024. The issue allows attackers to inject malicious payloads through the user profile page, specifically in the pronunciation field (GitLab Release, NVD).

The vulnerability exists due to improper sanitization of user input in the pronunciation field of the user profile page. The issue stems from the direct rendering of user-provided content using .html_safe in the application's view template. The vulnerability has been assigned a CVSS v3.1 base score of 8.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and requiring low privileges and user interaction (GitLab Release).

When exploited, this vulnerability allows attackers to perform arbitrary actions on behalf of victims at the client side through stored XSS attacks. The high severity rating reflects the potential for attackers to gain significant control over user sessions and access sensitive information (GitLab Release).

GitLab has addressed this vulnerability in version 16.9.1. All users running affected versions are strongly recommended to upgrade to the latest version immediately. GitLab.com has already been patched with the security fix (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher yvvdwf. GitLab responded promptly by releasing a security patch and assigning a CVE identifier (GitLab Release).