CVE-2024-4901: 
GitLab vulnerability analysis and mitigation

A stored XSS vulnerability (CVE-2024-4901) was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1. The vulnerability allows malicious commit notes to be imported from a project, potentially leading to cross-site scripting attacks (GitLab Release, CVE Mitre).

The vulnerability stems from improper handling of text content in commit notes. The code vulnerability involves using the text() function to get content of a p element and then injecting the content using the html function, which allows conversion of script tags leading to XSS. The issue has been assigned a CVSS score of 8.7 (High severity) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N (GitLab Release, GitLab Issue).

The stored XSS vulnerability allows attackers to execute arbitrary actions on behalf of victims at the client side, with the ability to bypass Content Security Policy (CSP). This could potentially lead to unauthorized access and manipulation of user data within the GitLab instance (GitLab Issue).

GitLab has patched this vulnerability in versions 16.11.5, 17.0.3, and 17.1.1. Users are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).