CVE-2024-8180: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2024-8180) has been identified in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher joaxcar (GitLab Release).

The vulnerability stems from improper output encoding in the vulnerability Code flow functionality, which could lead to Cross-Site Scripting (XSS) attacks when Content Security Policy (CSP) is not enabled. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity, requiring low privileges and user interaction (NVD).

If successfully exploited, this vulnerability could allow attackers to execute cross-site scripting attacks on self-hosted GitLab instances where CSP is not enabled, potentially leading to unauthorized access to user data or manipulation of web content (GitLab Release).

GitLab has addressed this vulnerability in versions 17.3.7, 17.4.4, and 17.5.2. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).