A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target’s master password — and proof-of-concept code is available. Read More
Related Posts
Getting off the Attack Surface Hamster Wheel: Identity Can Help
Getting off the Attack Surface Hamster Wheel: Identity Can Help
IT professionals have developed a sophisticated understanding of the enterprise attack surface – what it is, how to quantify it and how to manage it.
The process is simple: begin by thoroughly assessing the attack surface, encompassing the entire IT environment. Identify all potential entry and exit points where unauthorized access could occur. Strengthen these vulnerable points using Read More
The Hacker News | #1 Trusted Cybersecurity News Site
GitLab Patches Critical HTML Injection Flaw Leading To XSS Attacks
GitLab Patches Critical HTML Injection Flaw Leading To XSS Attacks
GitLab has released new patch versions 17.5.1, 17.4.3, and 17.3.6 for both its Community Edition (CE) and Enterprise Edition (EE).
These updates address a critical HTML injection vulnerability that could lead to cross-site scripting (XSS) attacks, alongside other security and bug fixes.
The primary focus of this patch is a high-severity HTML injection flaw identified in GitLab’s Global Search feature.
Vulnerabilities Patched
This vulnerability, which affects all versions from 15.10 up to but not including the newly released patches, allows attackers to inject malicious HTML into the search field on a diff view.
This could enable XSS attacks, where malicious scripts are executed in users’ browsers, compromising sensitive data and user accounts.
The vulnerability has been assigned CVE-2024-8312 and carries a CVSS score of 8.7, indicating its high impact and ease of exploitation.
Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here
GitLab has acknowledged the contribution of security researcher joaxcar for identifying this flaw through their HackerOne bug bounty program.
GitLab strongly advises all users running affected versions to upgrade immediately to mitigate potential risks. The patched versions are already deployed on GitLab.com, ensuring that users of the hosted service are protected.
However, self-managed installations must be updated manually to prevent exploitation. Alongside the HTML injection patch, the release also addresses a medium-severity Denial of Service (DoS) vulnerability related to XML manifest file imports.
This flaw could allow attackers to disrupt services by importing maliciously crafted XML files. It has been assigned CVE-2024-6826 and is now resolved in the latest updates.
GitLab’s release strategy includes both scheduled bi-monthly updates and ad-hoc patches for critical vulnerabilities, reflecting their commitment to maintaining high security standards across all platforms.
Detailed information about each vulnerability will be made public on GitLab’s issue tracker 30 days after release.
This will allow users to understand the scope and impact of each fix while ensuring immediate protection through timely updates.
GitLab recommends that all users regularly update their installations to the latest supported versions. They also encourage following best practices outlined in their security documentation to further safeguard against potential threats.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here
The post GitLab Patches Critical HTML Injection Flaw Leading To XSS Attacks appeared first on Cyber Security News.
Schneider Electric confirms dev platform breach after hacker steals data
Schneider Electric confirms dev platform breach after hacker steals data
Schneider Electric has confirmed a developer platform was breached after a threat actor claimed to steal 40GB of data from the company’s JIRA server. […] Read More