GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts.

An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information.

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.

The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.” reads the advisory published by the company. “By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.”