CVE-2024-4207: 
GitLab vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been discovered in GitLab affecting all versions starting from 5.1 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. The vulnerability occurs when viewing an XML file in a repository in raw mode, which can be rendered as HTML under specific circumstances (NVD, GitLab Release).

The vulnerability is related to the handling of XML files in raw mode through the GitLab API. When viewing XHTML files through the API on iOS devices, the content-type headers are not properly enforced, allowing the content to be rendered as HTML instead of plain text. The issue specifically occurs when the URL ends in .xhtml or when the Content-Disposition header contains a filename with .xhtml extension. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N (GitLab Issue, NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks, particularly impacting self-hosted GitLab instances without proper Content Security Policy (CSP) configurations. While GitLab.com's CSP helps mitigate the impact, self-hosted instances may be more vulnerable to credential-stealing attacks and other XSS-based exploits (GitLab Issue).

The vulnerability has been patched in GitLab versions 17.0.6, 17.1.4, and 17.2.2. Users are strongly recommended to upgrade to these versions or later. The fix involves changes to how content-disposition headers are handled for XHTML files served through the API (GitLab Release).