CVE-2018-19579

Vulnerability

GitLab EE version 11.5 is vulnerable to a persistent (stored) cross-site scripting (XSS) vulnerability in the Operations page, specifically in the Jaeger URL field of the project operations settings [1]. An attacker can inject arbitrary JavaScript code into this field, which is then stored and executed when a project maintainer views the Operations page [1]. The affected version is GitLab EE 11.5; the vulnerability is fixed in version 11.5.1 [1].

Exploitation

An attacker must have maintainer-level access to a GitLab project to exploit this vulnerability [1]. The attacker navigates to the project's Operations settings page (/settings/operations) and supplies a malicious payload in the Jaeger URL field, for example: https://replaceme.com/'> [1]. Upon saving the changes, the payload is stored and triggered when any maintainer visits the Operations page, causing the injected script to execute in their browser [1]. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of a project maintainer's browser session [1]. This could lead to theft of session cookies, impersonation of the victim user, or further attacks within the GitLab instance, depending on the permissions of the victim [1].

Mitigation

GitLab EE users should upgrade to version 11.5.1 or later, which contains the fix for this vulnerability [1]. No workaround is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.