2014-01-30-xss-vulnerability-in-gitlab.html.md 1.39 KB
Newer Older
Robert Speicher's avatar
Robert Speicher committed
1 2 3 4
---
title: "Security vulnerability in gitlab (CVE-2013-7316)"
date: 2014-01-30 19:00
author: Marin Jankovski
5
categories: releases
Robert Speicher's avatar
Robert Speicher committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
community: true
---
### Security vulnerability in GitLab (CVE-2013-7316)

We have learned about a XSS vulnerability in GitLab. This issue was fixed in GitLab 6.5.

<!--more-->

# Cross-site scripting (XSS) vulnerability in GitLab

A cross-site scripting (XSS) vulnerability in GitLab allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file.
This vulnerability has been assigned the CVE identifier CVE-2013-7316.

Versions affected: 6.4 and earlier

Fixed versions: Community Edition 6.5.0, Enterprise Edition 6.5.0

### Impact
In affected versions, when adding a README with voluntary extension the file would be rendered with markup. This would allow an attacker to add a script that would be executed on the client side.

This vulnerability was fixed in GitLab 6.5. All users running GitLab 6.4 and earlier versions should upgrade immediately.

### Releases
Gitlab 6.5 Community Edition is available from https://gitlab.com/gitlab-org/gitlab-ce and https://github.com/gitlabhq/gitlabhq .
GitLab 6.5 Enterprise Edition is available for subscribers from GitLab Cloud.
Please follow the upgrade guides from your current version to version 6.5.

### Credits
Thanks to ChenQin, Network and Information Security Lab @ Tsinghua University for reporting the vulnerability.