CVE-2024-8648: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL (GitLab Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue specifically affects the Analytics Dashboards feature where an attacker can manipulate URLs to inject malicious JavaScript code (NVD).

The vulnerability allows attackers to inject malicious JavaScript code through specially crafted URLs in Analytics Dashboards. While on GitLab.com this is blocked by Content Security Policy (CSP), self-hosted instances, particularly those behind proxies or VPNs without proper CSP configuration, are at risk of code execution (GitLab Issue).

The vulnerability has been patched in GitLab versions 17.3.7, 17.4.4, and 17.5.2. GitLab strongly recommends that all affected installations be upgraded to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Advisory).

The vulnerability was discovered and reported by security researcher joaxcar through GitLab's HackerOne bug bounty program (GitLab Advisory).