Unrated severityNVD Advisory· Published Apr 12, 2024· Updated May 2, 2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

CVE-2024-2279

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 16.7
GitLab Inc./GitLab CE/EEllm-fuzzy
Range: >=16.7, <=16.8.6 || >=16.9, <16.9.4 || >=16.10, <16.10.2
osv-coords
pkg:bitnami/gitlab
Range: >= 16.7.0, < 16.8.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

hackerone.com/reports/2404710mitretechnical-descriptionexploitpermissions-required
gitlab.com/gitlab-org/gitlab/-/issues/448469mitreissue-trackingpermissions-required

News mentions

GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6
GitLab Security Releases · Apr 10, 2024

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000