CVE-2018-18643

Vulnerability

Persistent XSS in GitLab CE/EE versions 11.2 up to and including 11.4.5, 11.3.9, and earlier 11.5.0 release candidates before 11.5.0-rc12. The autocomplete functionality that suggests usernames when typing @ in comments or issues is vulnerable. If a user's full name contains an XSS payload (e.g., eve ) that payload is executed when another user references that user via @mention [1].

Exploitation

An attacker can register or update their profile to include a malicious XSS payload in their full name. When any other user types @ followed by the attacker's name (or the autocomplete suggests it) and submits the comment or issue, the payload executes in the browser of whoever views the rendered content. No special privileges are required beyond the ability to set a user's full name [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking, credential theft, or other client-side attacks. The XSS is persistent because the malicious name is stored in the database and affects all users who view the mention [1].

Mitigation

Upgrade to GitLab versions 11.5.0-rc12, 11.4.6, or 11.3.10, which fix the issue [2]. No workaround is available for unpatched versions; administrators should apply the patch as soon as possible.